A severe issue was addressed on Monday, an issue that under certain conditions could be used to expose the private keys for TLS certificates used by companies running their infrastructure on cloud servers.
The issue —which received its own CVE identifier of CVE-2018-15598— affected Traefik, a very popular open source reverse proxy and load balancing solution created and administered by Containous, a French software company.
In modern web dev environments, developers deploy Traefik proxies/balancers in front of their Docker or Kubernetes server clusters in order to control how traffic flows to a company's IT infrastructure —such as backends, Intranets, public websites, mobile apps, APIs, or others.
Since it's quite an advanced solution, Traefik also comes with a backend panel, to help users better manage their Traefik setups.
Over the weekend, security researcher Ed Foudil discovered that when companies were exposing their Traefik panels to the Internet, a remote attacker could query the backend panel's API on port 8080.
Foudil discovered that one of the API endpoints allowed an attacker to ask the Traefik instance for details about TLS settings, and even extract a copy of the company's TLS certificate private key.
This private key would have allowed an attacker to decrypt already intercepted traffic, or encrypt web traffic (HTTPS) and make it look like it was coming from a company's official site.
Foudil told Bleeping Computer in a private conversation that he discovered the bug while investigating the security of a bug bounty platform.
"My screenshot is of a vulnerable instance on a bug bounty program that I got a bounty for," he told us.
Check for Traefik instances running on port 8080. The /api endpoint exposes private keys of the SSL certificates belonging to the hosts listed on the Traefik instance. pic.twitter.com/wFi2xn4DVq— Ed (@EdOverflow) August 19, 2018
Other security researchers have also discovered similar Traefik backends exposing the infrastructure of various other companies.
The most interesting discovery came from British security researcher Robbie Wiggins, who discovered a Dark Web .onion domain hosted behind one particular Traefik instance.
http://18.104.22.168:8080/dashboard/ - .onion :)— Random Robbie (@Random_Robbie) August 20, 2018
But that's not all, Wiggins told Bleeping Computer that he also "found certificates for Kubernetes systems and a wildcard SSL cert for a marketing company."
Earlier today, Wiggins published a script that searches Shodan for vulnerable Traefik instances that TLS certificates data via their dashboard API. A quick Shodan search performed by this reporter reveals over 2,700 Traefik instances with open dashboards.
Containous fixed this issue on Monday, with the release of Traefik 1.6.6. In this new version, when admins enable the dashboard's API, they'll see a warning about the dangers of this operation, along with a mention that turning on the API might expose their TLS data.
"Enabling the API will expose all configuration elements, including secret. It is not recommended in production, unless secured by authentication and authorizations," the new warning reads.
Since only companies with pretty large internal networks and IT infrastructure tend to use Traefik, any misconfiguration in these setups can lead to some pretty big security issues, affecting products with millions of users, if not more. The Traefik website lists the Mozilla Foundation and the New Relic analytics service as two of the companies that employ Traefik instances.
"I can imagine people are hunting for Traefik instances right now as we speak to exploit this issue," Foudil told Bleeping Computer. Foudil also lauded Containous' quick response in this matter, having a fix for the reported issue out within a day after the initial report.
It is recommended that companies review their Traefik settings and disable public access to the Traefik dashbord and its API as soon as possible.