Vulnerabilities can lead to unauthorized access to backend servers.
HAProxy, a widely used open-source load balancer and reverse proxy, has addressed a security vulnerability that allowed potential attackers to execute HTTP request smuggling attacks.
An attacker could exploit this issue by sending a specially crafted HTTP request, evading HAProxy’s filters, and accessing backend servers without authorization.
Header Manipulation
A notice from Willy Tarreau, HAProxy’s maintainer, highlighted that “a suitably crafted HTTP request can lead HAProxy to omit critical headers such as Connection, Content-length, Transfer-Encoding, Host, and others after parsing them.”
This header manipulation could confuse the HAProxy, allowing it to forward requests to back-end servers without necessary security checks.
Such exploitation could allow attackers to bypass authentication for specific URLs and gain access to restricted areas. While the exploit is relatively straightforward, its effectiveness varies based on the target server’s reliance on HAProxy’s filtering for security.
“Moderate knowledge of the HTTP protocol and an understanding of smuggling attacks are all that is required,” remarked Tarreau in an interview with The Daily Swig.
“I’m confident that experienced security researchers will grasp how to exploit this vulnerability quickly, often requiring just a couple of tests to validate their approach, hence the absence of additional details.”
Long-standing Vulnerability
This flaw was identified by researchers from Northeastern University, Akamai Technologies, and Google during their investigations.
According to Tarreau, the vulnerability has been present since HAProxy version 2.0, launched in June 2019.
“Any configuration that supports HTTP/1 on both client and server is vulnerable unless it operates on a patched version or incorporates a suggested workaround,” stated Tarreau. “This means a large majority of implementations are potentially at risk.”
If you wish to stay updated on the latest web security developments, consider signing up for our newsletter.
Environment configurations deeper within infrastructure, such as API gateways, are likely safe since they avoid generating these invalid requests.
Tarreau is currently supporting seven versions of HAProxy and has implemented fixes across all these versions.
“Load balancers are vital in infrastructure setups, and users often hesitate to upgrade unless absolutely essential or if they’re seeking new functionalities,” Tarreau mentioned.
“Therefore, we ensure that each stable version is maintained for five years, affording users adequate time for testing and upgrading when they see fit.”
Interim Solutions
For those unable to upgrade immediately, Tarreau offers a temporary configuration-based workaround that identifies and blocks attacks by recognizing conditions caused by this vulnerability exploitation.
For users on outdated versions of HAProxy, Tarreau cautions: “If you’re running an old version… your best immediate solution is to upgrade to the next available branch, which should incorporate minimal changes.”
“We ask that if you haven’t prioritized updates over the past five years, please refrain from seeking assistance on how to upgrade.”
This vulnerability is not the initial serious HTTP request smuggling issue to affect HAProxy; The Daily Swig previously reported another similar issue recognized by JFrog researchers in September 2021.
MOST POPULAR OAuth ‘masterclass’ voted top web hacking method of 2022
Based on an article from ports wigger.net: https://portswigger.net/daily-swig/http-request-smuggling-bug-patched-in-haproxy
