HAProxy Vulnerability
By Frank Wood on September 22, 2021
(By: Frank Wood on September 17, 2021)
Executive Summary
HAProxy is one of the most widely used open-source software load balancer proxy servers for Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) applications. The software gained high popularity due to it being free as well as the promise of being the “world’s fastest” [4] load balancer. Currently, it is now integrated on most Linux distributions (Ubuntu, Debian 8, and CentOS) and is the default deployment for cloud platforms (Amazon AWS, Azure, and Google Cloud). Designed for websites with a large amount of inbound and outbound traffic, many well know high-traffic sites like Virgin America, Booking.com, Airbnb, and Instagram utilize the software. [5]
On September 7, 2021, the JFrog Security research team discovered that HAProxy versions 2.0 or later were subject to integer overflow vulnerability which allows the attacker to conduct an HTTP request smuggling attack. [5] To conduct this attack, the malicious actor manipulates the HTTP request header by adding a character to the “content-length” header. [3] Unable to process the contradicting lengths between the “content-length” and “transfer-encoding” headers [1], the request is given access to the backend server, bypassing the access control lists.
Vulnerability
CVE-2021-40346 – Ubuntu 20.04 LTS / 21.04: HAProxy vulnerabilities (USN-5063-1). [2][6] The vulnerability is an integer overflow vulnerability that allows an attacker to conduct an HTTP request smuggling attack to the backend server, without being detected by the proxy server. [5]
Impact
With over 500 million downloads [3] and standard applications on Linux distributions and cloud platforms, the impact of this vulnerability could potentially lead to sensitive data loss, escalation of privileges, hijacking user sessions, and exploiting cross-site scripting without user interaction. [5] This means that the attacker has full access to affected servers and plenty of targets to exploit. The attacker could also conduct further vulnerability scans to detect other exploitable vulnerabilities within the server, further enabling the attackers to prolong their attack.
Mitigation
The mitigation for this vulnerability is to update to versions 2.0.25, 2.2.17, 2.3.14, and 2.4.4 by adding size checks for the name and value lengths. [1]
References
[1] Bannister, A. (September 9, 2021). “HAProxy vulnerability enables HTTP request smuggling attacks.” The Daily Swig. Accessed September 14, 2021. https://portswigger.net/daily-swig/haproxy-vulnerability-enables-http-request-smuggling-attacks.
[2] Canonical. (2021). “USN-5063-1: HAProxy vulnerabilities.” ubuntu.com. Accessed September 14, 2021. https://ubuntu.com/security/notices/USN-5063-1.
[3] Greig, J. (September 10, 2021). “HAProxy urges users to update after HTTP request smuggling vulnerability found.” ZDNet.com. Accessed September 14, 2021. https://www.zdnet.com/article/haproxy-urges-users-to-update-after-http-request-smuggling-vulnerability-found/.
[4] HAProxy. (2021). “About us.” HAProxy.com. Accessed September 14, 2021. https://www.haproxy.com/company/about-us/.
[5] Hollander, O. & Peles, O. (September 7, 2021). “Critical Vulnerability in HAProxy (CVE-2021-40346): Integer Overflow Enables HTTP Smuggling.” Jfrog.com. Accessed September 14, 2021. https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/.
[6] Tenable. (September 8, 2021). “Ubuntu 20.04 LTS / 21.04: HAProxy vulnerabilities (USN-5063-1).” Tenable.com. Accessed September 14, 2021. https://www.tenable.com/plugins/nessus/153138.