7 critical vulnerabilities in Istio, the open source service mesh. Thousands of microservices-based applications affected

Cybersecurity specialists report the detection of a set of vulnerabilities in Istio, the service network platform with open source technology that allows controlling the exchange of data between different microservices. According to the report, the successful exploitation of these flaws would allow the deployment of all kinds of malicious actions.

Below are brief descriptions of the reported flaws and their respective scores assigned by the Common Vulnerability Scoring System (CVSS).

CVE-2021-32777: A bug in the ext-authz extension when sending request headers to the external authorization service in Envoy would allow remote threat actors to evade the authorization process and gain unauthorized access to the application when using the ext-authz extension.

This is a medium-severity vulnerability and received a CVSS score of 6.3/10.

CVE-2021-32781: A use-after-free error when processing HTTP requests and responses in Envoy would allow remote hackers to send a specially crafted HTTP request or response to the application, leading to a denial-of-service (DoS) attack.

The flaw received a CVSS score of 5.2/10 and its successful exploitation requires the presence of an extension capable of modifying the size of the requests or responses, although this does not mean that the exploitation is a complex process. 

CVE-2021-32778: Envoy is configured with a high limit on simultaneous H/2 streams, which could be exploited by remote attackers to generate a DoS condition on the target system.

This is a flaw of medium severity and received a CVSS score of 4.6/10.

CVE-2021-32780: Improper management of H/2 GOAWAY followed by SETTINGS frameworks would allow remote attackers to generate a DoS condition on the target system.  

The vulnerability received a CVSS score of 6.4/10.

CVE-2021-39155: A case-insension-insensic host comparison would allow remote attackers to send a specially crafted request to evade authorization on the target system.

The flaw received a CVSS score of 7.2/10, so it is considered a high severity error.

CVE-2021-39156: Improper implementation of authorization controls would allow remote threat actors to send specially crafted HTTP requests with #fragment on the path and evade authorization on the affected system. 

This vulnerability received a CVSS score of 7.1/10.

CVE-2021-32779: Improper handling of the “#fragment” URI element as part of the route element allows remote attackers to send a specially crafted request and gain unauthorized access to sensitive information.

The flaw received a CVSS score of 7.5/10, making it the most severe error in this report.

According to cybersecurity experts, all flaws reside in the following versions of Istio: 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.10.0, 1.10.1, 1.10.2, 1.10.3 and 1.11.0.

While all flaws can be exploited remotely by unauthenticated threat actors, no active exploitation attempts have been detected so far. Still, users of affected deployments are encouraged to upgrade as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.