Traefik TLS Handshake Management Vulnerability on TCP Routers Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Traefik, an HTTP reverse proxy and load balancer, in versions prior to 2.11.38 and 3.6.9. The issue arises in the way Traefik handles TLS handshakes on TCP routers. Specifically, the read deadline that regulates protocol sniffing is removed before the TLS handshake is finished. If a read error occurs, Traefik attempts a second handshake with different parameters, ignoring the initial error. This flaw can be exploited by a remote, unauthenticated client who sends an incomplete TLS record and halts further transmission, causing the handshake to become stalled indefinitely while keeping the connection open. By initiating multiple stalled connections simultaneously, an attacker can deplete file descriptors and goroutines, disrupting the availability of all services on the affected entrypoint.

Impact

Exploitation of this vulnerability can lead to a significant degradation of service availability on the affected entrypoint, causing disruptions to all services routed through it.

Remediation

Users can upgrade to Traefik versions 2.11.38 or 3.6.9 to address this vulnerability.