CVE-2024-39321
📋 TL;DR
This vulnerability allows attackers to bypass IP allow-lists in Traefik reverse proxy by sending HTTP/3 early data requests with spoofed IP addresses during QUIC 0-RTT handshakes. This affects all Traefik deployments using HTTP/3 with QUIC and IP allow-list configurations. Organizations using Traefik versions prior to 2.11.6, 3.0.4, or 3.1.0-rc3 are vulnerable.
💻 Affected Systems
- Traefik
📦 What is this software?
Traefik by Traefik
Traefik by Traefik
Traefik by Traefik
Traefik by Traefik
Traefik by Traefik
⚠️ Risk & Real-World Impact
Worst Case
Attackers can bypass IP-based access controls entirely, gaining unauthorized access to internal services protected by Traefik's IP allow-lists, potentially leading to data breaches or service compromise.
Likely Case
Attackers bypass IP restrictions to access services intended only for specific IP ranges, potentially exposing administrative interfaces or internal applications to unauthorized users.
If Mitigated
With proper network segmentation and additional authentication layers, impact is limited to bypassing only the IP filtering layer.
🎯 Exploit Status
Exploitation requires ability to send spoofed IP packets and knowledge of QUIC 0-RTT handshakes. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.6, 3.0.4, or 3.1.0-rc3
Vendor Advisory: https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9
Restart Required: Yes
Instructions:
1. Identify your Traefik version. 2. Upgrade to 2.11.6, 3.0.4, or 3.1.0-rc3 based on your major version. 3. Restart Traefik service. 4. Verify the new version is running.
🔧 Temporary Workarounds
Disable HTTP/3
allDisable HTTP/3 and QUIC protocol to prevent exploitation via 0-RTT handshakes
# In Traefik configuration, ensure experimental.http3.enabled is set to false
Disable 0-RTT
allDisable QUIC 0-RTT handshakes if HTTP/3 must remain enabled
# Configure QUIC to disable 0-RTT support in your QUIC implementation
🧯 If You Can't Patch
- Disable HTTP/3 entirely in Traefik configuration
- Implement additional authentication layers beyond IP allow-lists
🔍 How to Verify
Check if Vulnerable:
Check Traefik version and verify if HTTP/3 is enabled with IP allow-lists configuredCheck Version:
traefik versionVerify Fix Applied:
Confirm Traefik version is 2.11.6, 3.0.4, or 3.1.0-rc3 or later📡 Detection & Monitoring
Log Indicators:
- Unexpected successful connections from IPs not in allow-list
- HTTP/3 requests with unusual patterns
Network Indicators:
- QUIC 0-RTT handshake attempts from suspicious sources
- HTTP/3 traffic bypassing expected IP filters
SIEM Query:
source="traefik" AND (http_version="3" OR protocol="QUIC") AND allowed_ip="false"🔗 References
- https://github.com/traefik/traefik/releases/tag/v2.11.6
- https://github.com/traefik/traefik/releases/tag/v3.0.4
- https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3
- https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9
- https://github.com/traefik/traefik/releases/tag/v2.11.6
- https://github.com/traefik/traefik/releases/tag/v3.0.4
- https://github.com/traefik/traefik/releases/tag/v3.1.0-rc3
- https://github.com/traefik/traefik/security/advisories/GHSA-gxrv-wf35-62w9
