medium

Google Cloud Armor packet size bypass

Published Thu, Feb 24th, 2022
Platforms

Summary

Cloud Armor has a documented limitation of 8 KB as the maximum size of web request that it will inspect. The default behavior of Cloud Armor in this case can allow oversized malicious requests to bypass Cloud Armor and directly reach an underlying application. Moreover, Cloud Armor does not warn users of this limitation during policy creation or when configuring rules from within the web UI, and can only find a reference to the 8 KB limit in the [Cloud Armor documentation](https://cloud.google.com/armor/docs/security-policy-overview).

Affected Services

Cloud Armor

Remediation

A custom rule can be added in Advanced mode - `int(request.headers["content-length"]) >= 8192`, with 502, 403, or 404 HTTP response status in return.

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Thu, Feb 24th, 2022
Exploitablity Period
Ongoing
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Karan Saini, Riyaz Walikar, Kloudle