istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add December 2022 security audit report (#12556) 

Co-authored-by: Craig Box <craigb@armosec.io>
This commit is contained in:
Istio Automation 2023-01-30 11:48:15 -08:00 committed by GitHub
parent 5dd09b8993
commit 22af1e305d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 102 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.spelling
View File

@ -195,6 +195,7 @@ CIDRs
Cilium
CIOs
Circonus
Cleartext
cli
CloudNativeCon
CloudWatch
@ -310,6 +311,7 @@ CVE-2022-31045
CVE-2022-39278
CVE-2022-39388
CVE-2022-41715
CVE-2022-41721
cves
CVEs
cvss
@ -358,6 +360,7 @@ docker.io
dogfood
Dorosh
double-tls
downloader
Dropdown
Drucker
dual-stack
@ -392,6 +395,7 @@ Ezequiel
facto
failover
failovers
Faseela
faq
faq.md
Fawad
@ -411,7 +415,7 @@ FQDN
FQDNs
frontend
frontends
Faseela
fuzzers
gamified
gapped
GatewayClass
@ -439,6 +443,7 @@ grafana-istio-dashboard
Graphviz
grpc
gRPC
h2c
Haidian
Harvey
Hashicorp
@ -608,6 +613,7 @@ LoadBalancer
loadimpact
localhost
log_output_level
Logics
lookups
loopback
Lua
@ -722,6 +728,7 @@ operationalize
operationalizes
optname
OS-level
OSS-Fuzz
Ostrowski
otel-collector
outsized

BIN
content/en/blog/2023/ada-logics-security-assessment/Istio audit report - ADA Logics - 2022-12-28 - v1.0.pdf Normal file
View File

Binary file not shown.

94
content/en/blog/2023/ada-logics-security-assessment/index.md Normal file
View File

@ -0,0 +1,94 @@
---
title: "Istio publishes results of 2022 security audit"
description: Security review of Istio finds a CVE in Go standard library.
publishdate: 2023-01-30
attribution: "Craig Box (ARMO), for the Istio Product Security Working Group"
keywords: [istio,security,audit,ada logics,assessment,cncf,ostif]
---
Istio is a project that platform engineers trust to enforce security policy in their production Kubernetes environments. We pay a lot of care to security in our code, and maintain a robust [vulnerability program](/docs/releases/security-vulnerabilities/). To validate our work, we periodically invite external review of the project, and we are pleased to publish [the results of our second security audit](./Istio%20audit%20report%20-%20ADA%20Logics%20-%202022-12-28%20-%20v1.0.pdf).
The auditors assessment was that **"Istio is a well-maintained project that has a strong and sustainable approach to security"**. No critical issues were found; the highlight of the report was the discovery of a vulnerability in the Go programming language.
We would like to thank the [Cloud Native Computing Foundation](https://cncf.io/) for funding this work, as a benefit offered to us after we [joined the CNCF in August](https://www.cncf.io/blog/2022/09/28/istio-sails-into-the-cloud-native-computing-foundation/). It was [arranged by OSTIF](https://ostif.org/the-audit-of-istio-is-complete), and [performed by ADA Logics](https://adalogics.com/blog/istio-security-audit).
## Scope and overall findings
[Istio received its first security assessment in 2020](/blog/2021/ncc-security-assessment/), with its data plane, the [Envoy proxy](https://envoyproxy.io/), having been [independently assessed in 2018 and 2021](https://github.com/envoyproxy/envoy#security-audit). The Istio Product Security Working Group and ADA Logics therefore decided on the following scope:
* Produce a formal threat model, to guide this and future security audits
* Carry out a manual code audit for security issues
* Review the fixes for the issues found in the 2020 audit
* Review and improve Istio's fuzzing suite
* Perform a SLSA review of Istio
Once again, no Critical issues were found in the review. The assessment found 11 security issues; two High, four Medium, four Low and one informational. All the reported issues have been fixed.
{{< quote >}}
**"Istio is a very well-maintained and secure project with a sound code base, well-established security practices and a responsive product security team." - ADA Logics**
{{< /quote >}}
Aside from their observations above, the auditors note that Istio follows a high level of industry standards in dealing with security. In particular, they highlight that:
* The Istio Product Security Working Group responds swiftly to security disclosures
* The documentation on the projects security is comprehensive, well-written and up to date
* Security vulnerability disclosures follow industry standards and security advisories are clear and detailed
* Security fixes include regression tests
## Resolution and learnings
### Request smuggling vulnerability in Go
The auditors uncovered a situation where Istio could accept traffic using HTTP/2 Over Cleartext (h2c), a method of making an unencrypted connection with HTTP/1.1 and then upgrading to HTTP/2. The [Go library for h2c connections](https://pkg.go.dev/golang.org/x/net/http2/h2c) reads the entire request into memory, and notes that if you wish to avoid this, the request should be wrapped in a `MaxBytesHandler`.
In fixing this bug, Istio TOC member John Howard noticed that the recommended fix introduces a [request smuggling vulnerability](https://portswigger.net/web-security/request-smuggling). The Go team thus published [CVE-2022-41721](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41721) — the only vulnerability discovered by this audit!
Istio has since been changed to disable h2c upgrade support throughout.
### Improvements to file fetching
The most common class of issue found were related to Istio fetching files over a network (for example, the Istio Operator installing Helm charts, or the WebAssembly module downloader):
* A crafted Helm chart could exhaust disk space (#1) or overwrite other files in the Operators pod (#2)
* File handles were not closed in the case of an error, and could be exhausted (#3)
* Crafted files could exhaust memory (#4 and #5)
To execute these code paths, an attacker would need enough privilege to either specify a URL for a Helm chart or a WebAssembly module. With such access, they would not need an exploit: they could already cause an arbitrary chart to be installed to the cluster or an arbitrary WebAssembly module to be loaded into memory on the proxy servers.
The auditors and maintainers both note that the Operator is not recommended as a method of installation, as this requires a high-privilege controller to run in the cluster.
### Other issues
The remaining issues found were:
* In some testing code, or where a control plane component connects to another component over localhost, minimum TLS settings were not enforced (#6)
* Operations that failed may not return error codes (#7)
* A deprecated library was being used (#8)
* [TOC/TOU](https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use) race conditions in a library used for copying files (#9)
* A user could exhaust the memory of the Security Token Service if running in Debug mode (#11)
Please refer to [the full report](./Istio%20audit%20report%20-%20ADA%20Logics%20-%202022-12-28%20-%20v1.0.pdf) for details.
### Reviewing the 2020 report
All 18 issues reported in Istios first security assessment were found to have been fixed.
### Fuzzing
The [OSS-Fuzz project](https://google.github.io/oss-fuzz/) helps open source projects perform free [fuzz testing](https://en.wikipedia.org/wiki/Fuzzing). Istio is integrated into OSS-Fuzz with 63 fuzzers running continuously: this support was [built by ADA Logics and the Istio team in late 2021](https://adalogics.com/blog/fuzzing-istio-cve-CVE-2022-23635).
{{< quote >}}
**"[We] started the fuzzing assessment by prioritizing security-critical parts of Istio. We found that many of these had impressive test coverage with little to no room for improvement." - ADA Logics**
{{< /quote >}}
The assessment notes that "Istio benefits largely from having a substantial fuzz test suite that runs continuously on OSS-Fuzz", and identified a few APIs in security-critical code that would benefit from further fuzzing, Six new fuzzers were contributed as a result of this work; by the end of the audit, the new tests had run over **3 billion** times.
### SLSA
[Supply chain Levels for Software Artifacts](https://slsa.dev/) (SLSA) is a check-list of standards and controls to prevent tampering, improve integrity, and secure software packages and infrastructure. It is organized into a series of levels that provide increasing integrity guarantees.
Istio does not currently generate provenance artifacts, so it does not meet the requirements for any SLSA levels. [Work on reaching SLSA Level 1 is currently underway](https://github.com/istio/istio/issues/42517). If you would like to get involved, please join the [Istio Slack](https://slack.istio.io/) and reach out to our [Test and Release working group](https://istio.slack.com/archives/C6FCV6WN4).
## Get involved
If you want to get involved with Istio product security, or become a maintainer, wed love to have you! [Join our public meetings](https://github.com/istio/community/blob/master/WORKING-GROUPS.md) to raise issues or learn about what we are doing to keep Istio secure.