CVE-2021-36371 Explained : Impact and Mitigation

Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allows attackers to bypass client certificate requirements on backend upstreams under certain conditions.

Understanding CVE-2021-36371

This CVE describes a vulnerability in Emissary-Ingress that enables attackers to circumvent client certificate requirements on backend upstreams.

What is CVE-2021-36371?

Emissary-Ingress allows attackers to bypass mTLS cert_required when multiple TLSContexts are defined, and one of them does not require client certificate authentication.

The Impact of CVE-2021-36371

The vulnerability could be exploited by attackers to bypass client certificate requirements, potentially compromising the security of backend upstreams.

Technical Details of CVE-2021-36371

The following technical details provide insight into the vulnerability:

Vulnerability Description

Attackers can bypass client certificate requirements by sending specific requests to unprotected backends while specifying protected backends.

Affected Systems and Versions

Emissary-Ingress versions up to 1.13.9 are affected, while 2.x versions remain unaffected.

Exploitation Mechanism

The attacker must send an SNI specifying an unprotected backend and an HTTP Host header specifying a protected backend to exploit the vulnerability.

Mitigation and Prevention

Understanding the steps for mitigation and prevention is crucial in addressing CVE-2021-36371.

Immediate Steps to Take

Organizations should update to unaffected versions, such as 2.x, and ensure correct configuration settings to mitigate the risk.

Long-Term Security Practices

Implementing strong security measures and regular checks on configurations can help prevent similar vulnerabilities in the future.

Patching and Updates

Regularly updating Emissary-Ingress to the latest secure versions and monitoring security advisories is essential in maintaining a secure environment.