CVE-2024-23325: Envoyproxy Envoy DoS Vulnerability

CVE-2024-23325 Overview

CVE-2024-23325 is a denial of service vulnerability in Envoy, a high-performance edge, middle, and service proxy. The flaw causes Envoy to crash when the Proxy Protocol receives an address type that the host operating system does not support. Specifically, an Envoy instance running on a host with IPv6 disabled and a listener configured with Proxy Protocol enabled crashes when a client presents an IPv6 address. Clients are permitted to present IPv6 addresses even when the underlying connection chain uses IPv4, making this condition reachable in normal deployments. The issue is tracked under [CWE-248] Uncaught Exception and [CWE-755] Improper Handling of Exceptional Conditions.

Critical Impact

A remote unauthenticated client can crash Envoy instances by sending Proxy Protocol headers containing IPv6 addresses when the host has IPv6 disabled, resulting in service disruption.

Affected Products

• Envoy versions prior to 1.26.7
• Envoy versions 1.27.0 through 1.27.2
• Envoy versions 1.28.0 and 1.29.0

Discovery Timeline

• 2024-02-09 - CVE-2024-23325 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-23325

Vulnerability Analysis

The vulnerability resides in Envoy's Proxy Protocol listener filter, which parses upstream address information from client connections. When Envoy receives a Proxy Protocol header containing an IPv6 source address on a host where the kernel does not support AF_INET6, the address instantiation path fails to handle the unsupported protocol family. The unhandled error condition propagates as an uncaught exception, terminating the Envoy process.

The Proxy Protocol specification permits clients to advertise an address family that differs from the transport carrying the header. A client connected over IPv4 can legitimately present an IPv6 source address, which the proxy is expected to honor. Envoy's address validation logic returned a failure status for unsupported address families but did not gracefully reject the connection upstream, instead triggering process termination.

Root Cause

The root cause is improper handling of an exceptional condition during address instantiation. The validateProtocolSupported() check returned absl::FailedPreconditionError for unsupported families, but the calling code path in the Proxy Protocol filter did not catch this state before constructing dependent objects. The result is an uncaught exception classified under [CWE-248] and [CWE-755].

Attack Vector

Exploitation requires only network access to a Proxy Protocol enabled listener. An unauthenticated attacker sends a TCP connection prefaced with a Proxy Protocol v1 or v2 header advertising an IPv6 source address. If the Envoy host has IPv6 disabled in the kernel, the process crashes. The attack requires no privileges and no user interaction.

// Patch excerpt: source/common/network/address_impl.cc
+namespace {
+bool force_ipv4_unsupported_for_test = false;
+}
+
+Cleanup Ipv4Instance::forceProtocolUnsupportedForTest(bool new_val) {
+  bool old_val = force_ipv4_unsupported_for_test;
+  force_ipv4_unsupported_for_test = new_val;
+  return Cleanup([old_val]() { force_ipv4_unsupported_for_test = old_val; });
+}
+
 absl::Status Ipv4Instance::validateProtocolSupported() {
   static const bool supported = SocketInterfaceSingleton::get().ipFamilySupported(AF_INET);
-  if (supported) {
+  if (supported && !force_ipv4_unsupported_for_test) {
     return absl::OkStatus();
   }
   return absl::FailedPreconditionError("IPv4 addresses are not supported on this machine");

Source: Envoy GitHub Commit bacd310

Detection Methods for CVE-2024-23325

Indicators of Compromise

• Unexpected Envoy process termination or restart events on hosts with IPv6 disabled
• Inbound TCP connections containing Proxy Protocol v2 signature bytes (0x0D 0x0A 0x0D 0x0A 0x00 0x0D 0x0A 0x51 0x55 0x49 0x54 0x0A) followed by an IPv6 address family byte (0x21)
• Repeated client connections from the same source preceding Envoy crash loops

Detection Strategies

• Monitor Envoy server.live and listener.downstream_cx_destroy_remote statistics for anomalous spikes correlated with process restarts
• Inspect orchestrator events (Kubernetes, systemd) for SIGABRT or non-zero exit codes from Envoy containers or processes
• Deploy network sensors to flag Proxy Protocol headers presenting IPv6 source addresses to listeners on IPv4-only hosts

Monitoring Recommendations

• Forward Envoy stdout, stderr, and crash dumps to a centralized logging pipeline for correlation with upstream connection metadata
• Alert on Envoy pod restart counts exceeding baseline within short time windows
• Track Proxy Protocol parse failures via the proxy_proto.not_found_disallowed and related listener filter statistics

How to Mitigate CVE-2024-23325

Immediate Actions Required

• Upgrade Envoy to a fixed release: 1.29.1, 1.28.1, 1.27.3, or 1.26.7
• Inventory all Envoy deployments and identify hosts running with IPv6 disabled at the kernel level
• Restrict Proxy Protocol enabled listeners to trusted upstream load balancers using network ACLs until patching is complete

Patch Information

The Envoy maintainers addressed the issue in commit bacd310 and published advisory GHSA-5m7c-mrwr-pm26. Fixed releases are Envoy 1.29.1, 1.28.1, 1.27.3, and 1.26.7. See the Envoy Security Advisory GHSA-5m7c-mrwr-pm26 and the upstream patch commit for technical details.

Workarounds

• No software workarounds exist according to the upstream advisory; upgrading is required
• Operators may enable IPv6 at the kernel level on affected hosts as a defensive measure, since the crash requires an IPv6-disabled host
• Place affected Envoy instances behind a trusted L4 load balancer that terminates and regenerates Proxy Protocol headers from validated sources

# Verify Envoy version and IPv6 kernel status
envoy --version
sysctl net.ipv6.conf.all.disable_ipv6

# Upgrade example for container deployments
docker pull envoyproxy/envoy:v1.29.1
kubectl set image deployment/envoy envoy=envoyproxy/envoy:v1.29.1