Objective: Gain unauthorized access to, disrupt, or exfiltrate data from the application via Envoy
[**Attacker's Goal: Gain unauthorized access to, disrupt, or exfiltrate data from the application via Envoy**]
|
=================================================================================================
|| ||
[DoS via Resource Exhaustion] [**Misconfigure Envoy**] [**Compromise Envoy Management Plane**]
|| || ||
------------------------------- ========================================================= --------------------------
|| || || | | || ||
[Send [**Missing Auth** [**Insecure [Overly [**Lack of [Exposed [**Compromised
malformed **on Listeners**] **TLS Config**] Permissive **Rate Admin Control
requests ] RBAC] Limiting**] Interface] Plane
to Server**]
exhaust
resources]
|| || || | || ||
|| || || | || ||
[Send [**Bypass [Use weak [Grant [**Trigger [**Access [Gain access
malformed intended ciphers, excessive DoS via sensitive to control
requests access insecure permissions high endpoints**] plane
to control**] protocols] to traffic credentials**]
exhaust resources] load**]
resources]
Attack Tree Path: DoS via Resource Exhaustion
- Description: The attacker sends a large number of requests, or specially crafted requests, designed to consume excessive resources (CPU, memory, connections) on the Envoy proxy. This leads to a denial of service, making the application unavailable to legitimate users.
- Attack Steps:
- Send malformed requests to exhaust resources: The attacker crafts requests that are difficult or resource-intensive for Envoy to process. This could involve large request bodies, complex headers, or requests that trigger specific code paths known to be inefficient.
- Likelihood: Medium to High
- Impact: High
- Effort: Low to Medium
- Skill Level: Novice to Intermediate
- Detection Difficulty: Easy to Medium
Attack Tree Path: Misconfigure Envoy (Critical Branch)
-
Description: This branch encompasses various configuration errors that create vulnerabilities.
-
Attack Vectors:
-
**[Missing Authentication on Listeners]
- Description: Envoy listeners are configured without any authentication mechanism (e.g., mTLS, JWT validation). This allows any client to connect and send requests to upstream services.
- Attack Steps:
- Bypass intended access control: The attacker directly accesses services without needing to authenticate, bypassing any intended security checks.
- Likelihood: Medium
- Impact: Very High
- Effort: Very Low
- Skill Level: Novice
- Detection Difficulty: Easy
-
[Insecure TLS Configuration]
- Description: Envoy is configured to use weak ciphers, outdated TLS versions, or improperly validated certificates. This makes the communication vulnerable to interception and man-in-the-middle attacks.
- Attack Steps:
- Use weak ciphers, insecure protocols: The attacker exploits the weak TLS configuration to intercept or modify traffic between the client and Envoy, or between Envoy and upstream services.
- Likelihood: Medium
- Impact: High
- Effort: Low
- Skill Level: Novice
- Detection Difficulty: Easy
-
Overly Permissive RBAC
- Description: Role-Based Access Control (RBAC) rules are configured too broadly, granting clients more permissions than necessary.
- Attack Steps:
- Grant excessive permissions to resources: The attacker, having gained some level of access, leverages the overly permissive RBAC rules to access resources or perform actions they shouldn't be able to.
- Likelihood: Medium
- Impact: High
- Effort: Low
- Skill Level: Intermediate
- Detection Difficulty: Medium
-
[Lack of Rate Limiting]
- Description: Envoy is not configured to limit the rate of requests from clients. This makes the application vulnerable to denial-of-service attacks and brute-force attempts.
- Attack Steps:
- Trigger DoS via high traffic load: The attacker sends a flood of requests to overwhelm the Envoy proxy or upstream services, causing a denial of service.
- Likelihood: High
- Impact: High
- Effort: Low
- Skill Level: Novice
- Detection Difficulty: Easy to Medium
-
Exposed Admin Interface
- Description: The Envoy admin interface (/admin) is exposed to untrusted networks without proper authentication or authorization.
- Attack Steps:
- Access sensitive endpoints: The attacker directly accesses the admin interface, potentially gaining full control over the Envoy instance, viewing sensitive configuration details, or shutting down the proxy.
- Likelihood: Low to Medium
- Impact: Very High
- Effort: Very Low
- Skill Level: Novice
- Detection Difficulty: Easy
-
Attack Tree Path: Compromise Envoy Management Plane (Critical Branch)
- Description: This branch focuses on attacking the control plane that manages Envoy instances.
- Attack Vectors:
- [Compromised Control Plane Server]
- Description: The attacker gains control of the server that manages Envoy configurations (e.g., Istio's control plane, an xDS server). This allows them to push malicious configurations to all Envoy instances.
- Attack Steps:
- Gain access to control plane credentials: The attacker obtains credentials (e.g., API keys, service account tokens) that allow them to authenticate to the control plane and modify configurations. This could be through phishing, exploiting vulnerabilities in the control plane server, or other means.
- Likelihood: Low
- Impact: Very High
- Effort: High to Very High
- Skill Level: Expert
- Detection Difficulty: Hard
- [Compromised Control Plane Server]