CVE-2021-3618: 
NGINX vulnerability analysis and mitigation

ALPACA (Application Layer Protocol Confusion - Analyzing and mitigating Cracks in tls Authentication) is a security vulnerability identified as CVE-2021-3618. The vulnerability exploits TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A Man-in-the-Middle (MiTM) attacker with access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session (ALPACA Website, NVD).

The vulnerability exists because TLS does not protect the source or destination IP and port address of the TCP connection, as TLS is designed to be application layer independent. This gap in protection allows attackers to redirect traffic between servers. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.4 (HIGH) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

The attack breaks the authentication of TLS and enables cross-protocol attacks where the behavior of one protocol service may compromise another at the application layer. In web-based scenarios, attackers can potentially extract session cookies and other private user data or execute arbitrary JavaScript in the context of the vulnerable web server (ALPACA Website).

Several vendors have released fixes for this vulnerability. Vsftpd 3.0.4 implemented countermeasures at both application and TLS layers. Nginx 1.21.0 implemented mitigations at the application layer in the mail proxy. Sendmail 8.17 added detection for HTTP requests when STARTTLS is used and implemented additional countermeasures at the application layer (Red Hat Bugzilla).