CVE-2019-12243

What the vulnerability is

CVE-2019-12243 is an incorrect access control vulnerability in Istio 1.1.x through 1.1.6. The root cause is a bug in the Mixer plugin's TCP filter: in buildInboundTCPFilter, the DisableCheckCalls field was incorrectly set using the outbound parameter instead of inbound [4]. This causes the proxy to skip calling the Mixer policy service for inbound TCP connections, even when disablePolicyChecks is set to false (i.e., policy enforcement is enabled).

How it is exploited

To be affected, an Istio mesh must have disablePolicyChecks set to false (the default is true), use a Mixer adapter such as Deny Checker or List Checker for authorization, and have workloads that communicate over TCP (not HTTP, HTTP/2, or gRPC) [3]. An attacker who can reach a TCP service in the mesh will have their requests accepted without any policy check, because the proxy does not send Check requests to istio-policy [4]. No authentication is required; the vulnerability only requires adjacency to the affected TCP service.

Impact

A successful attacker can bypass all Mixer-based authorization policies for TCP services, gaining unauthorized access to backend systems. This can lead to reading sensitive data, performing unauthorized operations, or disrupting services. The CVSS score is 8.9 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N), reflecting high confidentiality and integrity impact with low attack complexity [3].

Mitigation

Users of Istio 1.0.x are not affected. For Istio 1.1.x deployments, the fix is to upgrade to Istio 1.1.7 or later [3]. The fix was implemented in commit 91faba2 which corrects the argument from outbound to inbound [1]. There is no workaround short of disabling policy checks (which is the default) or upgrading.