Traefik ACME TLS-ALPN Challenge Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Traefik, an HTTP reverse proxy and load balancer, specifically in the ACME TLS certificates' automatic generation process. This issue is present in Traefik versions prior to 2.11.35 and 3.6.7. The vulnerability arises because the ACME TLS-ALPN fast path can be exploited by unauthenticated clients to indefinitely occupy goroutines and file descriptors when the ACME TLS challenge is active. A malicious client can open multiple connections, send a minimal ClientHello indicating 'acme-tls/1', and then cease communication, causing a denial-of-service condition on the entry point.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the entry point becomes unresponsive due to exhausted resources.

Reproduction

The vulnerability can be reproduced by enabling the ACME TLS challenge in Traefik versions prior to the patches. Once the challenge is active, a client can open numerous connections and send truncated ClientHello messages with 'acme-tls/1', then stop responding. This behavior ties up goroutines and file descriptors, causing a denial-of-service effect on the Traefik entry point.

Remediation

Users can upgrade to Traefik versions 2.11.35 or 3.6.7, both of which include the necessary fix. Instructions for downloading these versions are available on the Traefik GitHub Releases page.