CVE-2025-65114 fixed in ATS 10.1.2. But smuggling bugs return. Get the distro commands, automation script, and iptables mitigation that work for years.
April 2026 Update: Recently, a Fedora security advisory highlighted two specific CVEs in Traffic Server (CVE-2025-58136 and CVE-2025-65114). While the notification is dated, the underlying problem—HTTP request smuggling via malformed chunked message bodies—is a class of vulnerability that has existed for 20+ years and will exist for 20 more.
This guide is not about a single patch. It’s about permanently securing your Apache Traffic Server (ATS) against request smuggling, whether you run Fedora, Ubuntu, Rocky Linux, or SUSE.
Why This Matters (Beyond a Single CVE)
An attacker sending a simple, legitimate POST request can crash your proxy. A slightly malformed Transfer-Encoding: chunked header can let them bypass security controls, steal user data, or poison your cache. If you use ATS as a forward or reverse proxy, you are a target.
1. How to Check if You Are Vulnerable
Run these commands to see your ATS version and test your running config.
apt list --installed | grep trafficserver # Or check the binary version /usr/bin/traffic_server -v
On Rocky Linux / RHEL:
rpm -qa | grep trafficserver traffic_server -v
On SUSE Linux Enterprise / openSUSE:
zypper search --installed-only trafficserver rpm -q trafficserver
The Manual Test (Request Smuggling Check):
Save this as smuggling-test.sh and run it against your proxy IP:
#!/bin/bash (echo -en "POST / HTTP/1.1\r\nHost: test.com\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nGET /admin HTTP/1.1\r\nHost: internal-server\r\n\r\n") | nc your-proxy-ip 8080
If you see a response from /admin (instead of a 400 error or your normal homepage), your proxy is vulnerable.
2. Automation Script to Apply the Fix (Bash for Major Distros)
This script detects your distro, updates ATS to a safe version (≥10.1.2), and restarts cleanly. Run as root.
#!/bin/bash # fix-ats-smuggling.sh - Safe version: 10.1.2 or higher set -e echo "Checking Apache Traffic Server version..." VERSION=$(traffic_server -v 2>&1 | grep -oP 'version \K[0-9.]+' || echo "0") if [[ "$VERSION" > "10.1.2" ]] || [[ "$VERSION" == "10.1.2" ]]; then echo "✅ Version $VERSION is safe. No action needed." exit 0 fi echo "⚠️ Vulnerable version $VERSION found. Applying fix..." # Detect distro and update if command -v apt &> /dev/null; then apt update && apt upgrade -y trafficserver elif command -v dnf &> /dev/null; then dnf update -y trafficserver elif command -v zypper &> /dev/null; then zypper refresh && zypper update -y trafficserver else echo "❌ Unsupported package manager. Manual update required." exit 1 fi # Restart and verify systemctl restart trafficserver sleep 2 NEW_VERSION=$(traffic_server -v 2>&1 | grep -oP 'version \K[0-9.]+') echo "✅ Updated to $NEW_VERSION. Smuggling fix applied."
3. Alternative Mitigation (If You Can’t Update Now)
No immediate maintenance window? Use iptables or a proxy header validation rule to block malformed chunked requests.
Option A: iptables Rule to Drop Suspicious Packets
This blocks requests containing the literal pattern for chunked smuggling (not perfect, but stops basic exploits):
iptables -I INPUT -p tcp --dport 8080 -m string --string "Transfer-Encoding: chunked" --algo bm -j LOG --log-prefix "SMUGGLE_ATTEMPT" iptables -I INPUT -p tcp --dport 8080 -m string --string "0\r\n\r\nGET" --algo bm -j DROP
Option B: AppArmor / SELinux Confinement
Enforce that ATS cannot write to unexpected cache locations, limiting smuggling impact:
# For AppArmor (Ubuntu/SUSE) aa-enforce /etc/apparmor.d/usr.bin.traffic_server # For SELinux (Rocky/Fedora) setsebool -P httpd_can_network_connect on # Then put ATS in enforcing mode
Option C: Reverse Proxy Front-End (NGINX)
Deploy a hardened NGINX in front of ATS to normalize chunked encoding. Add this to your nginx.conf location block:
proxy_set_header Transfer-Encoding ""; proxy_pass http://your-ats-backend:8080;
Nenhum comentário:
Postar um comentário