CVE-2024-23327 Overview
CVE-2024-23327 is a null pointer dereference vulnerability [CWE-476] in Envoy, the high-performance edge, middle, and service proxy widely deployed in service mesh and ingress gateway architectures. When PROXY Protocol v2 (PPv2) is enabled on both a listener and a subsequent cluster, the Envoy instance segfaults while attempting to craft the upstream PPv2 header. The crash occurs when a downstream request carries a LOCAL command type and omits the protocol address block. A remote attacker can trigger the condition by sending crafted PPv2 frames, producing a denial of service. The issue is fixed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7.
Critical Impact
An unauthenticated network attacker can crash Envoy worker processes by sending a PPv2 LOCAL command without a protocol block, disrupting all traffic flowing through the proxy.
Affected Products
- Envoy 1.29.0 (fixed in 1.29.1)
- Envoy 1.28.0 (fixed in 1.28.1)
- Envoy 1.27.x prior to 1.27.3
- Envoy 1.26.x prior to 1.26.7
Discovery Timeline
- 2024-02-09 - CVE-2024-23327 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-23327
Vulnerability Analysis
The defect lives in Envoy's PROXY Protocol v2 handling path. PPv2 prepends connection metadata, including source and destination IPs and ports, to TCP streams so downstream proxies can preserve the original client identity. The protocol defines two command types: PROXY, which carries connection addressing, and LOCAL, which signals locally-originated traffic such as a load balancer health check and contains no address block.
When Envoy operates with PPv2 enabled on a listener and on an upstream cluster, it must regenerate a PPv2 header for the upstream connection. The code path that builds the upstream header dereferences proxy_proto_data.src_addr_ and proxy_proto_data.dst_addr_ without first verifying that those pointers are populated. For LOCAL commands the address block is absent, leaving the pointers null and causing a segmentation fault in the worker process.
Root Cause
The root cause is missing input validation in source/extensions/common/proxy_protocol/proxy_protocol_header.cc. The function assumed every parsed PPv2 frame produced valid source and destination IP structures, an invariant that does not hold for LOCAL commands. The listener filter in source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc also failed to populate filter state correctly for the LOCAL command branch, propagating an inconsistent ProxyProtocolData object downstream.
Attack Vector
An attacker who can establish a TCP connection to an Envoy listener configured for PPv2 sends a valid PPv2 v2 header with the command field set to LOCAL (0x20) and no address block. When Envoy proxies the connection upstream and attempts to craft the new PPv2 header, the null pointer dereference crashes the worker. AWS Network Load Balancer health checks naturally produce this traffic pattern, which is how the bug surfaced in production.
// Patch: source/extensions/common/proxy_protocol/proxy_protocol_header.cc
ASSERT(extension_length <= std::numeric_limits<uint16_t>::max());
+ if (proxy_proto_data.src_addr_ == nullptr || proxy_proto_data.src_addr_->ip() == nullptr) {
+ IS_ENVOY_BUG("Missing or incorrect source IP in proxy_proto_data_");
+ return false;
+ }
+ if (proxy_proto_data.dst_addr_ == nullptr || proxy_proto_data.dst_addr_->ip() == nullptr) {
+ IS_ENVOY_BUG("Missing or incorrect dest IP in proxy_proto_data_");
+ return false;
+ }
+
const auto& src = *proxy_proto_data.src_addr_->ip();
const auto& dst = *proxy_proto_data.dst_addr_->ip();
Source: Envoy commit 63895ea
Detection Methods for CVE-2024-23327
Indicators of Compromise
- Envoy worker process crashes with SIGSEGV correlated with PPv2 traffic on a listener
- Kernel or container runtime logs reporting segfaults in the envoy binary referencing proxy_protocol_header.cc
- Sudden drops in upstream connections from front-side load balancers performing TCP health checks
- Repeated TCP connections delivering PPv2 v2 frames with command byte 0x20 (LOCAL) and zero-length address block
Detection Strategies
- Inspect listener configurations for envoy.filters.listener.proxy_protocol paired with upstream clusters using envoy.transport_sockets.upstream_proxy_protocol to identify exposed paths
- Monitor Envoy admin /stats endpoint for increases in server.hot_restart_epoch and worker restart counters indicating crash loops
- Capture packets on PPv2-enabled listeners and decode the first 16 bytes to flag frames with the LOCAL command type
Monitoring Recommendations
- Alert on Envoy process restarts and non-zero exit codes from supervisor systems such as systemd, Kubernetes, or Nomad
- Forward Envoy and container runtime logs to a centralized log platform and create rules for segfault signatures referencing proxy_protocol
- Track upstream connection error rates per cluster to surface availability degradation early
How to Mitigate CVE-2024-23327
Immediate Actions Required
- Upgrade Envoy to 1.29.1, 1.28.1, 1.27.3, or 1.26.7 or later on the corresponding release branch
- Audit all listener and cluster configurations to identify deployments using PPv2 end-to-end
- For service mesh deployments, update the Envoy version bundled with Istio, Consul, or Gloo control planes
Patch Information
The fix adds null pointer checks for src_addr_ and dst_addr_ in the PPv2 header generation path and corrects the listener filter to populate filter state when a LOCAL command is parsed. Review the upstream changes in the Envoy commit 63895ea and the GitHub Security Advisory GHSA-4h5x-x9vh-m29j.
Workarounds
- No reliable workarounds exist according to the upstream advisory; upgrading is required
- Where upgrade is not immediately possible, restrict network exposure of PPv2-enabled listeners to trusted load balancers using network ACLs or security groups
# Verify the running Envoy version matches a fixed release
envoy --version
# Example Kubernetes patch to pin a fixed Envoy image
kubectl set image deployment/envoy envoy=envoyproxy/envoy:v1.29.1
kubectl rollout status deployment/envoy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
