Horizon Alert
Summary of the vulnerability and why it matters
A security control bypass vulnerability has been identified in Ocelot, an API gateway, allowing unauthenticated clients to circumvent IP-based access restrictions. This occurs when WebSocket upgrade requests are processed in a way that omits security middleware, enabling requests from blocked IP addresses to reach downstream services without proper enforcement of access policies.
- Unauthenticated clients can bypass IP access rules.
- It affects how API gateways control network access.
- Confirm if Ocelot is used and verify its network exposure.
Attack Path
How an attacker could exploit the issue
An attacker could bypass IP-based access restrictions by sending a specially crafted WebSocket upgrade request. This request would exploit a flaw in how Ocelot processes these upgrades, causing the security middleware to be skipped. As a result, requests from blocked IP addresses might be forwarded to internal services without proper checks, potentially exposing them to unauthorized access.
- No authentication or special access needed.
- Triggered by a WebSocket upgrade request.
- Allows bypass of IP restrictions.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow unauthorized clients to bypass IP-based access restrictions when connecting to downstream services through Ocelot. When Ocelot's WebSocket upgrade pipeline is improperly configured, requests from blocked IP addresses may be forwarded without enforcement of allow or block lists, potentially exposing services that should be protected.
- Sensitive service requests could be exposed.
- Blocked IP addresses may access services.
- Unauthorized access to backend services.
Operational Fix
Recommended remediation, mitigation, and detection steps
The security control bypass in Ocelot affects how WebSocket upgrade requests are handled, potentially allowing denied clients to circumvent IP-based access restrictions. The team responsible for the API gateway, likely an infrastructure or platform team, should first identify all Ocelot instances, determine their exposure, and assess business criticality. Planning for remediation should then consider vendor coordination and maintenance windows to minimize operational impact.
- API Gateway team owns the issue.
- Verify Ocelot instances and network exposure.
- Plan and coordinate remediation actions.