Attack Chain

1. Attacker crafts a malicious HTTP request with a path containing dot-segments (e.g., /public/../user/resource).
2. The request is sent to the Heimdall proxy.
3. Heimdall performs rule matching on the raw, non-normalized path (/public/../user/resource).
4. Heimdall incorrectly matches the request to a less restrictive rule, such as a rule for /public/**, due to the initial /public segment.
5. Heimdall authorizes the request based on the matched rule, potentially allowing anonymous access.
6. The request is forwarded to the downstream service.
7. The downstream service normalizes the request path to /user/resource.
8. The downstream service processes the request as /user/resource, bypassing the intended access controls for that resource, possibly leading to data access or privilege escalation.

Impact

Successful exploitation of this vulnerability allows attackers to bypass access control policies enforced by Heimdall. This can lead to unauthorized access to sensitive data, modification of restricted data, invocation of privileged functionality without proper authentication or authorization, and in certain configurations, escalation of privileges. The number of potential victims depends on the deployment and configuration of Heimdall within affected environments.

Recommendation

• Apply the available patch to upgrade Heimdall to version 0.17.14 or later to remediate the vulnerability.
• Implement HTTP path normalization or rejection of HTTP paths containing relative path expressions in layers in front of Heimdall, as suggested in the advisory.
• Deploy the Sigma rule provided below to detect suspicious HTTP requests containing dot-segments (..) in the request path.
• Configure your proxies (e.g., Envoy) to normalize paths, as described in the advisory.