ISTIO-SECURITY-2020-009 - Istio Io

Istio is vulnerable to a newly discovered vulnerability:

CVE-2020-16844: Callers to TCP services that have a defined Authorization Policies with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields will never be denied access.
- CVSS Score: 6.8 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Istio users are exposed to this vulnerability in the following ways:

If the user has an Authorization similar to

{{< text yaml >}} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: foo namespace: foo spec: action: DENY rules:

from:
- source: principals:
  - */ns/ns1/sa/foo # indicating any trust domain, ns1 namespace, foo svc account {{< /text >}}

Istio translates the principal (and source.principal) field to an Envoy level string match

{{< text yaml >}} stringMatch: suffix: spiffe:///ns/ns1/sa/foo {{< /text >}}

which will not match any legitimate caller as it included the spiffe:// string incorrectly. The correct string match should be

{{< text yaml >}} stringMatch: regex: spiffe://.*/ns/ns1/sa/foo {{< /text >}}

Prefix and exact matches in AuthorizationPolicy is unaffected, as are ALLOW actions in them; HTTP is also unaffected.

Mitigation

For Istio 1.5.x deployments: update to Istio 1.5.9 or later.
For Istio 1.6.x deployments: update to Istio 1.6.8 or later.
Do not use suffix matching in DENY policies in the source principal or namespace field for TCP services and use Prefix and Exact matching where applicable. Where possible change TCP to HTTP for port name suffixes in your Services.