- Threat: Misconfigured Access Control
- Description: Attacker exploits incorrect Envoy RBAC, route configurations, or external authorization setups. This allows bypassing intended Envoy access restrictions to reach protected backend services or sensitive data managed by Envoy.
- Impact: Data breach, unauthorized access to sensitive functionalities proxied by Envoy, service disruption, privilege escalation within the application managed by Envoy.
- Affected Envoy Component: Router, RBAC Filter, External Authorization Filter, Route Configuration
- Risk Severity: High
- Mitigation Strategies:
- Implement least privilege principle in Envoy access control configurations.
- Thoroughly test Envoy access control policies in staging environments.
- Conduct regular audits of Envoy access control configurations.
- Utilize policy-as-code and automated configuration validation tools for Envoy.
- Threat: Exposed Admin Interface
- Description: Attacker accesses the Envoy admin interface (e.g.,
/stats,/config_dump) if unintentionally exposed. This allows gathering sensitive Envoy configuration and application information, potentially leading to further attacks or manipulation of Envoy itself. - Impact: Information disclosure (Envoy configuration details, statistics), potential for Envoy configuration manipulation if write operations are enabled (less common in production).
- Affected Envoy Component: Admin Interface Module
- Risk Severity: High
- Mitigation Strategies:
- Restrict access to the Envoy admin interface to trusted networks only.
- Implement strong authentication and authorization for Envoy admin interface access (if enabled in production).
- Consider disabling the Envoy admin interface in production if not strictly necessary.
- Use network firewalls and access control lists to limit access to the Envoy admin port.
Threat: 3. Insecure Secrets Management
- Threat: Insecure Secrets Management
- Description: Attacker gains access to secrets (TLS certificates, API keys, credentials) if stored insecurely within Envoy configuration or managed using weak practices. This compromises Envoy's security and the security of upstream services it connects to.
- Impact: Compromise of TLS encryption managed by Envoy, unauthorized access to upstream services proxied by Envoy, data breaches, and potential for lateral movement within the infrastructure.
- Affected Envoy Component: Secret Discovery Service (SDS), Configuration Loading
- Risk Severity: Critical
- Mitigation Strategies:
- Utilize secure secret management solutions (HashiCorp Vault, Kubernetes Secrets, cloud provider secret managers) for Envoy secrets.
- Leverage Envoy's Secret Discovery Service (SDS) to dynamically fetch secrets instead of embedding them in Envoy configuration files.
- Avoid hardcoding secrets in Envoy configuration files.
- Encrypt secrets at rest and in transit within secret management systems used by Envoy.
- Regularly rotate secrets used by Envoy.
- Threat: Configuration Injection/Tampering
- Description: Attacker compromises the source of Envoy configuration and injects malicious configurations. This allows them to manipulate Envoy's behavior, redirect traffic, disable security features, or intercept data processed by Envoy.
- Impact: Complete compromise of Envoy's proxying behavior, redirection of traffic to malicious destinations via Envoy, disabling Envoy security features, data interception by compromised Envoy, and potential for wider system compromise.
- Affected Envoy Component: Configuration Loading, Control Plane Communication (xDS)
- Risk Severity: Critical
- Mitigation Strategies:
- Secure access to Envoy configuration sources and control plane infrastructure.
- Implement integrity checks and signing for Envoy configuration files.
- Use mutual TLS (mTLS) for communication between Envoy and the control plane.
- Employ version control and auditing for Envoy configuration changes.
- Implement role-based access control for Envoy configuration management systems.
- Threat: Protocol Parsing Vulnerabilities
- Description: Attacker sends malformed requests exploiting bugs in Envoy's protocol parsing implementations (HTTP/1.1, HTTP/2, HTTP/3, gRPC, etc.). This can lead to crashes, memory corruption, denial of service of Envoy, or potentially remote code execution within Envoy.
- Impact: Denial of service of Envoy, service instability, potential for remote code execution within Envoy (less likely but possible), and data corruption during proxying.
- Affected Envoy Component: HTTP/1.1 Parser, HTTP/2 Parser, HTTP/3 Parser, gRPC Parser, other protocol parsers
- Risk Severity: High to Critical
- Mitigation Strategies:
- Keep Envoy updated to the latest stable versions to benefit from security patches.
- Monitor security advisories for Envoy and its dependencies.
- Consider using fuzzing and static analysis tools to identify potential vulnerabilities in custom Envoy extensions or configurations.
- Threat: Denial of Service (DoS)
- Description: Attacker overwhelms Envoy with malicious traffic or resource-intensive requests to exhaust its resources and cause service disruption. This directly impacts Envoy's ability to proxy traffic and protect backend services.
- Impact: Service unavailability through Envoy, performance degradation of services proxied by Envoy, impact on dependent services relying on Envoy, and potential financial losses due to service disruption.
- Affected Envoy Component: Connection Management, Request Processing, Rate Limiting Module
- Risk Severity: High
- Mitigation Strategies:
- Implement rate limiting within Envoy at various levels (connection, request, route).
- Set connection limits and request timeouts in Envoy.
- Utilize circuit breaking in Envoy to prevent cascading failures.
- Implement resource quotas and limits for Envoy processes.
- Employ load shedding strategies in Envoy to handle excessive traffic.
- Ensure sufficient resources are allocated to Envoy instances.
- Use network-level DoS protection mechanisms in front of Envoy.
Threat: 7. Bypass of Security Filters
- Threat: Security Filter Bypass
- Description: Attacker crafts requests or exploits vulnerabilities to bypass security filters implemented in Envoy (WAF, authentication, authorization). This circumvents Envoy's intended security controls, allowing access to protected resources or malicious actions.
- Impact: Failure of Envoy security controls, unauthorized access to resources protected by Envoy, data breaches, and potential for exploitation of backend services behind Envoy.
- Affected Envoy Component: WAF Filter, Authentication Filters (e.g., JWT, OAuth2), Authorization Filters (RBAC, External AuthZ), Custom Filters
- Risk Severity: High
- Mitigation Strategies:
- Regularly update and test Envoy security filters to ensure effectiveness.
- Use robust and well-maintained Envoy filter implementations.
- Perform thorough security testing of the entire Envoy configuration and filter chain, including penetration testing.
- Implement layered security controls and defense-in-depth strategies within and around Envoy.
- Monitor Envoy filter logs and alerts for suspicious activity.
Threat: 8. Compromise of Control Plane
- Threat: Control Plane Compromise
- Description: Attacker compromises the control plane system (xDS server) used to manage Envoy. This allows pushing malicious configurations to Envoy proxies, effectively taking control of the proxy fleet and the applications behind them, managed by Envoy.
- Impact: Complete compromise of Envoy infrastructure, redirection of traffic proxied by Envoy, disabling Envoy security features, data interception by compromised Envoy, widespread service disruption, and potential for lateral movement within the infrastructure.
- Affected Envoy Component: Control Plane Communication (xDS), Configuration Loading
- Risk Severity: Critical
- Mitigation Strategies:
- Secure the control plane infrastructure with strong access controls, firewalls, and intrusion detection systems.
- Implement strong authentication and authorization for control plane access.
- Use mTLS for communication between Envoy and the control plane.
- Implement configuration validation and auditing on the control plane.
- Regularly monitor and audit control plane activity.
- Threat: Control Plane MitM Attack
- Description: Attacker intercepts communication between Envoy and the control plane (xDS) to eavesdrop on configuration data or inject malicious configurations in transit. This compromises the integrity and confidentiality of Envoy's management channel.
- Impact: Information disclosure of Envoy configuration data, potential for configuration tampering and injection, leading to similar impacts as control plane compromise, affecting Envoy's behavior and security.
- Affected Envoy Component: Control Plane Communication (xDS)
- Risk Severity: High
- Mitigation Strategies:
- Enforce mTLS for all communication between Envoy and the control plane to ensure confidentiality and integrity.
- Secure the network infrastructure to prevent unauthorized access and MitM attacks.
- Implement network segmentation to isolate control plane communication.
- Threat: Dependency Vulnerabilities
- Description: Attacker exploits known security vulnerabilities in libraries and dependencies used by Envoy (e.g., BoringSSL, gRPC, protobuf). These vulnerabilities can directly impact Envoy's security and stability.
- Impact: Range of impacts depending on the vulnerability, including denial of service of Envoy, remote code execution within Envoy, information disclosure from Envoy, and more.
- Affected Envoy Component: Dependencies (BoringSSL, gRPC, protobuf, etc.)
- Risk Severity: High to Critical
- Mitigation Strategies:
- Regularly update Envoy and its dependencies to the latest versions.
- Monitor security advisories for Envoy and its dependencies.
- Perform dependency scanning to identify potential vulnerabilities in Envoy's dependencies.
- Implement a vulnerability management process to track and remediate dependency vulnerabilities affecting Envoy.
- Threat: Insecure External Integrations
- Description: Attacker exploits security weaknesses in how Envoy integrates with external services (AuthZ, IdP, logging). Vulnerabilities in communication protocols or authentication mechanisms used by Envoy for these integrations can be exploited.
- Impact: Compromise of external services integrated with Envoy, unauthorized access to resources protected by Envoy and external services, data breaches involving data processed by Envoy and external services, and potential for lateral movement between systems.
- Affected Envoy Component: External Authorization Filter, Authentication Filters (e.g., OAuth2/OIDC), Logging/Tracing Integrations
- Risk Severity: High
- Mitigation Strategies:
- Secure communication channels (e.g., mTLS) for Envoy's integrations with external services.
- Implement strong authentication and authorization for Envoy's external service interactions.
- Regularly security assess integrated systems and their communication with Envoy.
- Follow security best practices for Envoy's integration with external services, including input validation and secure data handling.
- Threat: Control Plane DoS
- Description: Attacker launches denial-of-service attacks against the control plane (xDS server), preventing Envoy instances from receiving configuration updates or causing configuration staleness. This impacts Envoy's ability to adapt and maintain security posture.
- Impact: Configuration staleness in Envoy instances, inability to update Envoy configurations, potential service degradation if configuration updates are critical for service operation and security, impacting services proxied by Envoy.
- Affected Envoy Component: Control Plane Communication (xDS), Configuration Management
- Risk Severity: High
- Mitigation Strategies:
- Implement rate limiting and DoS protection for the control plane.
- Ensure high availability and redundancy for the control plane infrastructure (e.g., multiple replicas, load balancing).
- Consider caching mechanisms in Envoy to reduce reliance on real-time control plane communication for every request.
- Monitor control plane health and availability to ensure Envoy management is not disrupted.