Traefik deployment architecture

A severe issue was addressed on Monday, an issue that under certain conditions could be used to expose the private keys for TLS certificates used by companies running their infrastructure on cloud servers.

The issue —which received its own CVE identifier of CVE-2018-15598— affected Traefik, a very popular open source reverse proxy and load balancing solution created and administered by Containous, a French software company.

In modern web dev environments, developers deploy Traefik proxies/balancers in front of their Docker or Kubernetes server clusters in order to control how traffic flows to a company's IT infrastructure —such as backends, Intranets, public websites, mobile apps, APIs, or others.

Since it's quite an advanced solution, Traefik also comes with a backend panel, to help users better manage their Traefik setups.

Traefik dashboard API exposes TLS certs private keys

Over the weekend, security researcher Ed Foudil discovered that when companies were exposing their Traefik panels to the Internet, a remote attacker could query the backend panel's API on port 8080.

Foudil discovered that one of the API endpoints allowed an attacker to ask the Traefik instance for details about TLS settings, and even extract a copy of the company's TLS certificate private key.

This private key would have allowed an attacker to decrypt already intercepted traffic, or encrypt web traffic (HTTPS) and make it look like it was coming from a company's official site.

Onion site inadvertantly exposed via this bug

Foudil told Bleeping Computer in a private conversation that he discovered the bug while investigating the security of a bug bounty platform.

"My screenshot is of a vulnerable instance on a bug bounty program that I got a bounty for," he told us.

Other security researchers have also discovered similar Traefik backends exposing the infrastructure of various other companies.

The most interesting discovery came from British security researcher Robbie Wiggins, who discovered a Dark Web .onion domain hosted behind one particular Traefik instance.

But that's not all, Wiggins told Bleeping Computer that he also "found certificates for Kubernetes systems and a wildcard SSL cert for a marketing company."

Earlier today, Wiggins published a script that searches Shodan for vulnerable Traefik instances that TLS certificates data via their dashboard API. A quick Shodan search performed by this reporter reveals over 2,700 Traefik instances with open dashboards.

Issue fixed by adding clearer warnings

Containous fixed this issue on Monday, with the release of Traefik 1.6.6. In this new version, when admins enable the dashboard's API, they'll see a warning about the dangers of this operation, along with a mention that turning on the API might expose their TLS data.

"Enabling the API will expose all configuration elements, including secret. It is not recommended in production, unless secured by authentication and authorizations," the new warning reads.

Since only companies with pretty large internal networks and IT infrastructure tend to use Traefik, any misconfiguration in these setups can lead to some pretty big security issues, affecting products with millions of users, if not more. The Traefik website lists the Mozilla Foundation and the New Relic analytics service as two of the companies that employ Traefik instances.

"I can imagine people are hunting for Traefik instances right now as we speak to exploit this issue," Foudil told Bleeping Computer. Foudil also lauded Containous' quick response in this matter, having a fix for the reported issue out within a day after the initial report.

It is recommended that companies review their Traefik settings and disable public access to the Traefik dashbord and its API as soon as possible.

Related Articles:

TLS 1.0 and TLS 1.1 Being Retired in 2020 by All Major Browsers

Phishing Attack Uses Azure Blob Storage to Impersonate Microsoft

Cloudflare Improves Privacy by Encrypting the SNI During TLS Negotiation

Vulnerability in AMP for WP Plugin Allowed Admin Access to WordPress

Microsoft Patches Windows Zero-Day Exploited in Cyber Attacks