Executive Summary

This vulnerability in Traefik affects the ACME TLS-ALPN fast path used for automatic TLS certificate generation. When the ACME TLS challenge is enabled, unauthenticated clients can open many connections, send a minimal ClientHello message advertising the 'acme-tls/1' protocol, and then stop responding. Because the server does not set timeouts or close these connections properly during the TLS handshake, each stalled handshake consumes server resources like goroutines and file descriptors indefinitely. This leads to resource exhaustion and denial of service on the affected entrypoint. [2]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to a denial of service (DoS) on the Traefik entrypoint where the ACME TLS-ALPN challenge is enabled. A malicious client can exhaust server resources by opening many connections and stalling the TLS handshake, causing the server to run out of goroutines and file descriptors. This results in the affected entrypoint becoming unresponsive, potentially disrupting services relying on Traefik for reverse proxy and load balancing. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for an unusually high number of open connections or goroutines tied to the ACME TLS-ALPN challenge on Traefik entrypoints where the ACME TLS-ALPN challenge is enabled. Specifically, look for many connections that send a minimal ClientHello with the "acme-tls/1" protocol and then stop responding, causing resource exhaustion. Commands to detect this might include using netstat or ss to check for many open connections to the Traefik entrypoint ports, and using system tools to monitor file descriptor usage and goroutine counts in the Traefik process. For example, on Linux, you could use: `ss -tnp | grep traefik` to list TCP connections related to Traefik, and `lsof -p <traefik_pid>` to check open file descriptors. Additionally, monitoring Traefik logs for repeated ACME TLS-ALPN handshake attempts or timeouts could help detect exploitation attempts. [2, 4]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Traefik to version 2.11.35 or 3.6.7 or later, as these versions include the fix that adds timeouts to the ACME TLS-ALPN challenge handshake and properly closes connections to prevent resource exhaustion. After upgrading, consult the migration guide to enable the new opt-in behavior related to the fix. If upgrading immediately is not possible, consider disabling the ACME TLS-ALPN challenge on entrypoints or limiting the number of concurrent connections to reduce the risk of denial of service. Monitoring and applying rate limiting on incoming connections that use the ACME TLS-ALPN protocol can also help mitigate exploitation attempts. [1, 2, 3]

Useful 0 Not Useful 0