https://feed.craftedsignal.io/vendors/dadrus/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-03-heimdall-url-encoding/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-heimdall-url-encoding/Heimdall versions before 0.17.14 are vulnerable to inconsistent path interpretation due to case-sensitive handling of URL-encoded slashes; when `allow_encoded_slashes` is set to `off` (the default), the lowercase `%2f` is not recognized, potentially leading to authorization bypass if the default rule is overly permissive and the upstream service interprets `%2f` as a path separator.Heimdall, a cloud-native access management proxy, is susceptible to an authorization bypass vulnerability due to its case-sensitive handling of URL-encoded slashes. Specifically, versions prior to 0.17.14 fail to properly process lowercase URL-encoded forward slashes (%2f) when the allow_encoded_slashes option is disabled, which is the default configuration. This discrepancy arises because, while percent-encoding should be case-insensitive, Heimdall only recognizes the uppercase %2F. This inconsistency can be exploited if an attacker crafts requests with lowercase encoded slashes that Heimdall doesn’t normalize, while upstream services do. This can result in the application of an unintended default rule (if configured permissively), leading to unauthorized access to protected resources. The vulnerability is mitigated by ensuring secure default configurations or proper input validation.

Attack Chain

1. The attacker identifies a Heimdall instance enforcing access control policies.
2. The attacker crafts a malicious HTTP request targeting a protected resource, such as /admin/secret.
3. The attacker replaces the forward slash in the request path with a lowercase URL-encoded slash (%2f), resulting in a request like /admin%2fsecret.
4. The request reaches the Heimdall instance. Due to the case-sensitive handling of URL-encoded slashes, Heimdall does not normalize the %2f.
5. Heimdall fails to match the request to the intended access control rule (e.g., a rule matching /admin/**).
6. Heimdall executes the default rule, which, if misconfigured to be overly permissive (allowing anonymous access), grants access.
7. The request is forwarded to the upstream service.
8. The upstream service interprets %2f as a forward slash, effectively processing the request as /admin/secret, granting the attacker unauthorized access to the protected resource.

Impact

Successful exploitation of this vulnerability allows an attacker to bypass intended access control policies, potentially leading to unauthorized access to sensitive data, modification of restricted resources, or invocation of privileged functionality. Depending on the exposed functionality and the configuration of the upstream service, this could also lead to privilege escalation. The number of victims and sectors targeted depend heavily on the deployment and configuration of Heimdall instances.

Recommendation

• Upgrade to Heimdall version 0.17.14 or later to address the case-sensitive handling of URL-encoded slashes.
• Avoid using the --insecure or --insecure-skip-secure-default-rule-enforcement flags during Heimdall configuration, as these flags weaken security posture.
• Configure the default rule in Heimdall to implement a “deny by default” policy to minimize the risk of unintended access.
• Implement input validation at layers in front of Heimdall (e.g., in proxies like Traefik) to reject HTTP paths containing encoded slashes, providing an additional layer of defense.
• If using JWTs, include the ID of the rule expected to be executed and verify that value in the project’s service.

]]>highadvisoryheimdallauthorization-bypassurl-encodinghttps://feed.craftedsignal.io/briefs/2024-01-02-heimdall-case-sensitivity/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-heimdall-case-sensitivity/Heimdall performs case-sensitive host matching, which can lead to policy bypass because HTTP hostnames are case-insensitive, potentially leading to unauthorized access, data modification, or privilege escalation if the request host is part of the rule.Heimdall, a Go-based access management system, is susceptible to a case-sensitivity vulnerability in its host matching mechanism. HTTP hostnames are case-insensitive, but Heimdall performs host matching in a case-sensitive manner. Discovered and reported in April 2026, this discrepancy can result in Heimdall failing to match a rule for a request host that differs only in letter casing. Version 0.16.0 and later enforce secure defaults and refuse to start with an “allow all” configuration unless explicitly disabled using flags like --insecure-skip-secure-default-rule-enforcement or --insecure. The vulnerability affects Heimdall versions prior to 0.17.14 and can be exploited if rule matching relies on the request host, potentially leading to unintended access control bypass.

Attack Chain

1. The attacker identifies a Heimdall instance with host-based access control rules.
2. The attacker identifies a specific rule where the host is used for access control (e.g., admin.example.com).
3. The attacker crafts an HTTP request with a Host header that differs only in casing (e.g., Admin.Example.Com).
4. Heimdall fails to match the intended rule due to the case-sensitive comparison.
5. If no default rule is configured, Heimdall returns a “404 Not Found” error.
6. If a permissive default rule is configured (e.g., allowing anonymous access, which is discouraged since v0.16.0), Heimdall executes this default rule.
7. The attacker gains unauthorized access to resources or functionality that should be protected by the intended rule.
8. The attacker exploits the gained access to modify data, invoke functionality, or escalate privileges depending on the exposed functionality.

Impact

Bypassing access control policies enforced by Heimdall can lead to unauthorized access to sensitive data, modification of critical information, or invocation of restricted functionality. Depending on the exposed functionality, this could also lead to privilege escalation. The severity of the impact depends heavily on the misconfiguration of Heimdall’s rules, particularly the presence of overly permissive default rules. Successful exploitation can compromise the confidentiality, integrity, and availability of the protected application or service.

Recommendation

• Normalize request hosts to lowercase in layers in front of Heimdall to mitigate the case sensitivity issue.
• Avoid configuring permissive default rules. Remove or disable the --insecure or --insecure-skip-secure-default-rule-enforcement flags.
• When using the regex type for host matching, define expressions in a case-insensitive manner (e.g., (?i)^admin\.example\.com$).
• Upgrade to Heimdall version 0.17.14 or later to patch the vulnerability directly.

]]>highadvisorydefense-evasionpolicy-bypassaccess-controlhttps://feed.craftedsignal.io/briefs/2024-01-02-heimdall-auth-bypass/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-heimdall-auth-bypass/Heimdall is vulnerable to an authorization bypass due to a path normalization mismatch between Heimdall and downstream components, potentially leading to unauthorized access and privilege escalation.Heimdall, a cloud-native security proxy, is susceptible to an authorization bypass vulnerability. This issue arises from a discrepancy in how Heimdall handles request paths compared to downstream components. Specifically, Heimdall performs rule matching on the raw, non-normalized request path, while downstream components might normalize dot-segments (e.g., /user/../admin) according to RFC 3986. This can lead to Heimdall authorizing a request based on the raw path, whereas the downstream service processes a different, normalized path, potentially bypassing intended access controls. The vulnerability affects Heimdall versions prior to 0.17.14. Exploitation is possible when using wildcards in rule matching without further constraints. This could allow attackers to access restricted resources or functionalities.

Attack Chain

1. Attacker crafts a malicious HTTP request with a path containing dot-segments (e.g., /public/../user/resource).
2. The request is sent to the Heimdall proxy.
3. Heimdall performs rule matching on the raw, non-normalized path (/public/../user/resource).
4. Heimdall incorrectly matches the request to a less restrictive rule, such as a rule for /public/**, due to the initial /public segment.
5. Heimdall authorizes the request based on the matched rule, potentially allowing anonymous access.
6. The request is forwarded to the downstream service.
7. The downstream service normalizes the request path to /user/resource.
8. The downstream service processes the request as /user/resource, bypassing the intended access controls for that resource, possibly leading to data access or privilege escalation.

Impact

Successful exploitation of this vulnerability allows attackers to bypass access control policies enforced by Heimdall. This can lead to unauthorized access to sensitive data, modification of restricted data, invocation of privileged functionality without proper authentication or authorization, and in certain configurations, escalation of privileges. The number of potential victims depends on the deployment and configuration of Heimdall within affected environments.

Recommendation

• Apply the available patch to upgrade Heimdall to version 0.17.14 or later to remediate the vulnerability.
• Implement HTTP path normalization or rejection of HTTP paths containing relative path expressions in layers in front of Heimdall, as suggested in the advisory.
• Deploy the Sigma rule provided below to detect suspicious HTTP requests containing dot-segments (..) in the request path.
• Configure your proxies (e.g., Envoy) to normalize paths, as described in the advisory.

]]>highadvisoryauthorization-bypasspath-normalizationcloud