Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

HAProxy Vulnerability Leads to HTTP Request Smuggling

A critical security vulnerability in HAProxy could allow attackers to bypass security controls and access sensitive data without authorization, according to a warning from security research outfit JFrog.

A critical security vulnerability in HAProxy could allow attackers to bypass security controls and access sensitive data without authorization, according to a warning from security research outfit JFrog.

An attacker could exploit the vulnerability – tracked as CVE-2021-40346 (CVSS score of 8.6) – to bypass duplicate HTTP Content-Length header checks. Thus, the attacker could smuggle HTTP requests to the backend server without the proxy server noticing it, or launch a response-splitting attack.

“Our analysis confirmed that the duplication is achieved by making use of the memory layout of HAProxy’s internal representation of an HTTP message to slip a select character from the header’s name to its value. Due to the difficulty in executing such an attack, the risk is low,” according to an HAProxy advisory.

Researchers with JFrog Security, the company credited with discovering the bug, describe the issue as integer overflow in the HAProxy’s parsing of HTTP requests. Specifically, it affects the logic related to the processing of Content-Length headers, in the line responsible for setting a header’s name and value lengths.  

[ READ: Researcher Discovers New HTTP Request Smuggling Attack Variants ]

In an HTTP request smuggling attack, an adversary targets the HTTP requests between the frontend and backend servers by sending specially crafted requests containing an additional request. This results in the inner request being smuggled through the frontend, mainly because the same established TCP connection is used to forward the requests to the backend.

JFrog researchers crafted a POST request that contains a GET request in its body. Because of the manner in which the POST request’s header is created, HAProxy ends up forwarding it to the backend server with a value length of 0, meaning that it has no body.

The backend server then parses the request as having no body, and then expects to receive the next request on the same connection. Thus, the GET request that was in fact the POST’s body is treated as a legitimate request, resulting in bypassing HAProxy’s ACL filtering.

Advertisement. Scroll to continue reading.

“HAProxy is only aware of a single HTTP request being forwarded and thus only returns a single HTTP response (the first) from the backend server back to the client,” according to JFrog’s documentation of the problem.

HAProxy versions 2.0.25, 2.2.17, 2.3.14 or 2.4.4 address the issue with size checks for both name and value lengths. Thus, it is recommended to update HAProxy as soon as possible. Workarounds to mitigate the issue are available as well, if updating isn’t possible.

Related: Researcher Discovers New HTTP Request Smuggling Attack Variants

Related: Researchers Reproduce Exploit Used in Kaseya Hack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.