Google Cloud Armor packet size bypass
Published Thu, Feb 24th, 2022
Platforms
Summary
Cloud Armor has a documented limitation of 8 KB as the maximum size of web request that it will inspect. The default behavior of Cloud Armor in this case can allow oversized malicious requests to bypass Cloud Armor and directly reach an underlying application. Moreover, Cloud Armor does not warn users of this limitation during policy creation or when configuring rules from within the web UI, and can only find a reference to the 8 KB limit in the [Cloud Armor documentation](https://cloud.google.com/armor/docs/security-policy-overview).
Affected Services
Cloud Armor
Remediation
A custom rule can be added in Advanced mode - `int(request.headers["content-length"]) >= 8192`, with 502, 403, or 404 HTTP response status in return.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/riyazwalikar
Entry Status
Finalized
Disclosure Date
Thu, Feb 24th, 2022
Exploitability Period
Ongoing
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Karan Saini, Riyaz Walikar, Kloudle
