Summary
According to RFC 4343, DNS hostnames are case-insensitive, and Istio's authorization policy is expected to compare the Host header accordingly. However, in affected versions, Istio performs a case-sensitive comparison. Because the Envoy proxy routes requests case-insensitively, an attacker can bypass host-based authorization policies by sending a request with a differently-cased hostname — for example, using Httpbin.Foo where a deny rule targets httpbin.foo.
Impact
AuthorizationPolicy resources that restrict or deny based on the HTTP Host header are bypassable in affected versions. An attacker who can reach the target service can circumvent host-based deny rules by manipulating the case of the hostname in the Host header. The CVSS score of 8.3 reflects the network-accessible nature of the attack with no privilege required and a high confidentiality and integrity impact.
Detection
Review existing AuthorizationPolicy resources for rules that match on the request.headers[":authority"] or Host header. Check Istio access logs for requests where the Host value does not match the expected canonical casing for protected services, which may indicate exploitation attempts.
Mitigation
Upgrade Istio to a patched version on the appropriate release line:
- Istio 1.11.1 or later (for the 1.11 line)
- Istio 1.10.4 or later (for the 1.10 line)
- Istio 1.9.8 or later (for the 1.9 line)
As a workaround, a Lua filter can be written to normalize the Host header to lowercase before the authorization check is performed. This approach is similar to the path normalization described in the Istio Security Best Practices guide.