CTI Notification: Wallarm CEO releases Critical API Exploit research
Wallarm Application Security CEO releases research performed on a critical Google Cloud Platform API Exploit
Breakdown
The CEO at Wallarm shared details on vulnerability research for ESPv2 they reported to Google. He referred to it as the most critical Application Programming Interface (API) exploit he has seen this quarter, and wanted to make sure everyone affected was aware of the vulnerability. This is an authentication bypass vulnerability in ESPv2 that allows an attacker to create a malicious X-HTTP-Method-Override header value that can bypass JSON Web Token (JWT) authentication. Deployments need to be upgraded to v2.43.0 or higher, which will enforce the JWT authentication even if the override header value is called.
Overview
Ivan Novikov, the CEO at Wallarm, an API Security solutions research organization, published a post on LinkedIn and Twitter linking to the Google Cloud Platform Github page for esp-V2. They provided a summary of the issue, “ESPv2 contains an authentication bypass vulnerability. API clients can craft a malicious X-HTTP-Method-Override header value to bypass JWT authentication in specific cases.”
As a reference some background on the X-HTTP-Method-Override:
In certain situations (for example, when the service or its consumers are behind an overzealous corporate firewall, or if the main consumer is a web page), only the GET and POST HTTP methods might be available. In such a case, it is possible to emulate the missing verbs by passing the X-HTTP-Method-Override header in requests.
They also listed the overall impact of this vulnerability:
ESPv2 allows malicious requests to bypass authentication if both the conditions are true:
1. The requested HTTP method is not in the API service definition (OpenAPI spec or gRPC google.api.http proto annotations).
2. The specified X-HTTP-Method-Override is a valid HTTP method in the API service definition.
ESPv2 will forward the request to your backend without checking the JWT. Attackers can craft requests with a malicious X-HTTP-Method-Override value that allows them to bypass specifying JWTs.
A detailed example of the flow of this vulnerability and how it can be exploited was also provided in the source article with detailed code references. Please see their post for the specifics and how to replicate this in your own environment for testing.
Recommendation
This vulnerability was reported to the ESPv2 GCP team on March 14th of this year and fixed in the release on March 28th. All organizations affected need to upgrade your deployments to release v2.43.0 or higher. This release ensures that JWT authentication occurs, even when the caller specifies x-http-method-override. They do call out that x-http-method-override is still supported by v2.43.0+. API clients can continue sending this header to ESPv2.
Conclusion
To our current SOC partnerships, please reach out to our SOC team to learn more about the best steps in researching your exposure to this threat. If you have any questions on this ongoing event or need any level of security assistance, please reach out to Hunter Strategy and we will be happy to discuss next steps in securing your IT systems!
Contact Us
contact@hunterstrategy.net
