DoS in http.proxyprotocol plugin

I wasn’t able to find any information about how to report security vulnerabilities in Caddy or Caddy plugins on the Caddy homepage so I figured a community forum thread would be appropriate disclosure.

I discovered a class of trivial DoS bugs in the HAProxy PROXY V2 parsing in the http.proxyprotocol Caddy plugin.

I opened the following Github issues with details and reproduction steps (including a Caddyfile and sample panic output from Caddy v1.0.1):

As I mentioned in the plugin issue the documentation for this plugin should be much stronger in its language to recommend a source address filter. Using a filter would help mitigate this vulnerability and I recommend users of this plugin ensure that they have such a filter configured until the github.com/mastercactapus/proxyprotocol package and the caddy-proxyprotocol plugin have been updated with a fix.

More importantly without using a filter this plugin lets anyone able to send a request to the Caddy server spoof IP metadata (by design). Other webservers (e.g. Apache) that support the HAProxy PROXY protocol include an explicit warning like:

It is critical to only enable this behavior from intermediate hosts (proxies, etc) which are trusted by this server, since it is trivial for the remote useragent to impersonate another useragent.

No such warning is present in the Caddy plugin documentation and I think that’s a clear area for improvement.

Thanks,

2 Likes

One potential help here would be if the project maintainers could add a security.txt document to https://caddyserver.com/.well-known/security.txt

Here’s a quick standalone way to check if your Caddy server is vulnerable from a Linux host:

printf "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x21\x12\x00\x00" | nc <caddy hostname> <caddy HTTPS port>

If the server is configured with proxyprotocol and there is no configured filter, or the filter allows the sender IP, the request generated with the above command will terminate the Caddy process on the server.

MITRE assigned this CVE-2019-14243.

The caddy-proxyprotocol developer has published a new version (v0.0.3) of the plugin that fixes the identified vulnerability.

Many thanks to @mastercactapus for the very quick turn around! :tada:

1 Like