Login Sign Up

CVE-2021-23409

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability affects the go-proxyproto library, allowing attackers to cause Denial of Service (DoS) by establishing connections without the required proxy protocol header. Systems using this library for parsing proxy protocol headers are vulnerable, particularly those exposed to untrusted networks.

💻 Affected Systems

Products:
  • github.com/pires/go-proxyproto
Versions: All versions before 0.6.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using the library to parse proxy protocol headers from untrusted sources.

📦 What is this software?

Go Proxyproto by Go Proxyproto Project

View all CVEs affecting Go Proxyproto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion from malformed connection floods, potentially affecting all services using the vulnerable library.

🟠

Likely Case

Service degradation or intermittent outages from connection handling failures, impacting availability of applications using the library.

🟢

If Mitigated

Minimal impact with proper network controls and updated library versions, maintaining normal service functionality.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to send malformed connections; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.6.0

Vendor Advisory: https://github.com/pires/go-proxyproto/releases/tag/v0.6.0

Restart Required: Yes

Instructions:

1. Update go.mod to require github.com/pires/go-proxyproto v0.6.0 or later. 2. Run 'go mod tidy'. 3. Rebuild and redeploy affected applications. 4. Restart services using the updated library.

🔧 Temporary Workarounds

Network filtering

all

Block or rate-limit connections from untrusted sources to services using the library.

Load balancer validation

all

Configure upstream load balancers to validate proxy protocol headers before forwarding connections.

🧯 If You Can't Patch

  • Implement network segmentation to isolate vulnerable services from untrusted networks.
  • Deploy rate limiting and connection monitoring to detect and block DoS attempts.

🔍 How to Verify

Check if Vulnerable:

Check go.mod or vendor dependencies for github.com/pires/go-proxyproto version <0.6.0.

Check Version:

grep 'github.com/pires/go-proxyproto' go.mod

Verify Fix Applied:

Confirm go.mod requires github.com/pires/go-proxyproto v0.6.0 or later and rebuild applications.

📡 Detection & Monitoring

Log Indicators:

  • Increased connection errors or timeouts in application logs
  • Unusual spikes in failed connection attempts

Network Indicators:

  • High volume of connections without proper proxy protocol headers
  • Abnormal TCP connection patterns to proxy protocol ports

SIEM Query:

source="application_logs" AND (error OR timeout OR "connection failed") AND "proxyproto"

📊 Metadata

CVE ID: CVE-2021-23409
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: July 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON