-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Denial of service vulnerability with invalid v2 PROXY data #8
Comments
Here’s a quick standalone way to check if the installed Caddy server w/ the caddy-proxyprotocol plugin is vulnerable:
If the server is configured with |
MITRE assigned this CVE-2019-14243. |
Thanks for this, especially the quick vuln. test and being so thorough with information. As a quick aside, for reference from the release notes: The scope of this vulnerability is limited to cases where an attacker is able to send traffic directly to the server, by bypassing the load balancer entirely. Since that's the sole purpose of this plugin (to be used behind a LB/proxy) hopefully that means real-world impact is minimal. Also worth noting: all HTTP/non-PROXY traffic is rejected with a If a |
Closing, new version is released with fix -- validated build from caddyserver.com |
@mastercactapus Great work on the quick resolution. Thank you!!
100% in agreement with you there. 👍 @mastercactapus Do you control the content of the docs on https://caddyserver.com/docs/http.proxyprotocol or is that handled in the upstream Caddy project? Is there somewhere I could open a PR with some suggested language to help emphasize the need for restricting access to the PROXY interface? I think it would be sensible to explicitly mention what the risks are if you don't use any sort of source address filtering or additional firewall rules. WDYT? |
I do, and that would be a good idea. It's not in a repo but there's a UI I can make changes in. How about something like this (adapted from the Apache message):
Basically, same rules as |
@mastercactapus That sounds good to me 👍 Thanks! |
I opened an issue describing a DoS vulnerability in the
github.com/mastercactapus/proxyprotocol
package used by this plugin: mastercactapus/proxyprotocol#1This code is the only consumer of the package I was able to find with light googling/github searching.
Since fixing the
mastercactapus/proxyprotocol
parsing bug will require an updated version of this plugin I wanted to file an issue here as well so it doesn't fall through the cracks.Configuring the plugin with a source address filter is one potential mitigation in the short term.
The documentation would greatly benefit from strong language encouraging the use of a source address filter in all circumstances since above-and-beyond the current bug omitting such a filter will allow any client to spoof the IP metadata processed by the plugin. E.g. Apache's equivalent documentation says:
The text was updated successfully, but these errors were encountered: