Traefik is an open-source HTTP reverse proxy and load balancer, widely utilized for its simplicity and ease of use. However, a recent vulnerability has been discovered (CVE-2023-47124) when Traefik is configured to use the HTTPChallenge to generate and renew the Let's Encrypt TLS certificates.
This vulnerability allows attackers to exploit the 50-second delay authorized to solve the challenge by implementing a slowloris attack). To address this issue, the vulnerability has been patched in versions 2.10.6 and 3..-beta5.
In this post, we will thoroughly discuss the vulnerability, its exploitation, and how users can secure their environments from potential attacks.
Vulnerability Details
When using the HTTPChallenge to generate Let's Encrypt TLS certificates, Traefik permits a 50-second delay for solving challenges. This generous time frame creates an opportunity for attackers to initiate a slowloris attack.
A slowloris attack is a technique that causes the server to become unresponsive by opening many connections without fully closing them. The server slowly exhausts its resources waiting for the connections to close, and eventually, it cannot process legitimate requests, leading to a denial of service (DoS).
The code snippet below demonstrates how the 50-second delay is defined in the Traefik configuration
[acme.httpChallenge]
entryPoint = "http"
delayBeforeCheck = 50s
This vulnerability is tagged under CVE-2023-47124 in the National Vulnerability Database (NVD).
Exploitation
To exploit this vulnerability, an attacker would have to open as many connections to the server as possible within the 50-second delay window. The goal is to flood the server with connections and exhaust its resources, causing it to be unresponsive to legitimate requests.
One way to achieve this is by using a tool designed for slowloris attacks, such as the Slowloris HTTP DoS script.
Users have several options to secure their environments from CVE-2023-47124 exploitation
1. Upgrade: Upgrade to Traefik version 2.10.6 or 3..-beta5 to benefit from the patches addressing this vulnerability.
2. Configuration Change: For those unable or unwilling to upgrade, an alternative mitigation strategy is to replace the HTTPChallenge with the TLSChallenge or the DNSChallenge. These challenges are less susceptible to slowloris-type attacks. The following code snippet shows how to configure the TLSChallenge or DNSChallenge::
`
By taking these preventive measures, users can secure their Traefik deployments and protect against potential slowloris attacks.
Conclusion
The CVE-2023-47124 vulnerability in Traefik's HTTPChallenge exposed users to potential slowloris attacks. Upgrading to version 2.10.6 or 3..-beta5 resolves this issue, as the exploit is patched in these releases.
For those who cannot upgrade, switching to the TLSChallenge or DNSChallenge offers a viable alternative and added security. As always, staying current on vulnerability updates and applying security best practices are crucial in maintaining a secure environment.
Timeline
Published on: 12/04/2023 21:15:33 UTC
Last modified on: 12/07/2023 21:01:24 UTC