CVE-2024-37082 – This vulnerability allows attackers to bypass m... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to bypass mTLS authentication to Cloud Foundry applications by crafting specific HTTP requests. It affects deployments using haproxy-boshrelease with route-services enabled and the 'ha_proxy.forwarded_client_cert' property set to 'forward_only_if_route_service'.

💻 Affected Systems

Products:

Cloud Foundry
haproxy-boshrelease
routing-release

Versions: haproxy-boshrelease versions with route-services support

Operating Systems: Linux

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when route-services enabled AND ha_proxy.forwarded_client_cert = 'forward_only_if_route_service'

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers could access sensitive applications and data protected by mTLS authentication, potentially leading to data breaches or unauthorized system access.

🟠

Likely Case

Attackers bypass mTLS protection to access backend applications that should require mutual TLS authentication.

🟢

If Mitigated

With proper network segmentation and additional authentication layers, impact is limited to specific route-service endpoints.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires specific HTTP request crafting but no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: haproxy-boshrelease v0.18.0+

Vendor Advisory: https://www.cloudfoundry.org/blog/cve-2024-37082-mtls-bypass/

Restart Required: Yes

Instructions:

1. Update haproxy-boshrelease to v0.18.0 or later
2. Update routing-release to latest version
3. Restart haproxy instances
4. Verify configuration changes

🔧 Temporary Workarounds

Disable vulnerable configuration

linux

Change ha_proxy.forwarded_client_cert to a non-vulnerable setting or disable route-services

bosh -d <deployment> update-config --type=cloud --name=haproxy -v ha_proxy.forwarded_client_cert=always

🧯 If You Can't Patch

Implement network-level controls to restrict access to route-service endpoints
Add additional authentication/authorization layers for applications behind mTLS

🔍 How to Verify

Check if Vulnerable:

Check if route-services enabled AND ha_proxy.forwarded_client_cert = 'forward_only_if_route_service' in deployment manifest

Check Version:

bosh -d <deployment> instances --ps | grep haproxy

Verify Fix Applied:

Verify haproxy-boshrelease version >= 0.18.0 and configuration updated

📡 Detection & Monitoring

Log Indicators:

HTTP requests bypassing mTLS to route-service endpoints
Unexpected client certificate validation failures

Network Indicators:

HTTP traffic to mTLS-protected endpoints without proper TLS handshake

SIEM Query:

source="haproxy" AND (http_request_uri CONTAINS "route-service" OR x-forwarded-client-cert MISSING)

📊 Metadata

CVE ID: CVE-2024-37082

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-290

Published: July 3, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37082, you might also want to check these: