Recent exploitation techniques could allow attackers to gain access to backend servers.
HAProxy, a widely used open source load balancer and reverse proxy, has addressed a vulnerability that could empower attackers to conduct HTTP request smuggling attacks.
By carefully crafting an HTTP request, an attacker can potentially bypass HAProxy’s security measures, gaining unauthorized access to backend servers.
Dropped Headers Issue
A communication from Willy Tarreau, the maintainer of HAProxy, highlighted that “a properly crafted HTTP request can make HAProxy drop some important header fields such as Connection, Content-Length, Transfer-Encoding, Host, etc., after parsing and partially processing them.”
This irregular behavior can mislead HAProxy, causing it to send requests to the backend server without applying necessary filters.
Such exploitation can allow attackers to circumvent HAProxy’s authentication checks on specific URLs or gain access to restricted resources. The vulnerability’s ease of exploitation varies based on the target web server and its dependence on HAProxy’s filtering for protection.
“Exploiting this vulnerability only requires moderate knowledge of the HTTP protocol and smuggling attack techniques,” Tarreau remarked to The Daily Swig.
“I believe that experienced seekers of HTTP vulnerabilities will quickly grasp how to exploit this and would need only two to three tests to validate their findings, which is why comprehensive details were not necessary.”
Vulnerability Timeline
This vulnerability was identified by researchers from Northeastern University, Akamai Technologies, and Google during their testing protocols.
Tarreau stated that this vulnerability has been present since version 2.0 of HAProxy, which was launched in June 2019.
“Any configuration that supports HTTP/1 on both the client and server is susceptible unless it has been upgraded to the fixed version or includes the workaround I provided,” he explained. “This scenario applies to nearly all exposed deployments.”
Interested in receiving the latest updates in web security directly in your inbox? Subscribe to our newsletter here
Instances that are positioned deeper within the infrastructure, such as API gateways, remain unaffected, as no application or front proxy can generate such malformed requests.
Tarreau continues to actively maintain seven versions of HAProxy, issuing fixes for all of them.
“A load balancer is a critical aspect of infrastructure, and typically, users resist upgrading unless absolutely unavoidable or if they require new features,” Tarreau stated.
“As a result, we uphold each stable version for five years, providing users ample time to evaluate new versions and upgrade when necessary.”
Temporary Workaround
For those unable to immediately upgrade their versions, Tarreau has suggested a temporary configuration-based workaround that mitigates attacks by identifying the internal conditions generated by the exploitation of this bug.
For users operating earlier versions of HAProxy, his notice cautions: “If you are using an outdated version, the best short-term solution is to upgrade to the next immediate branch, which will result in the least unexpected changes.”
“Please refrain from seeking assistance with upgrades from older versions; if you have neglected updates for five years, it is unlikely that anyone will assist you in catching up.”
This is not the first significant HTTP request smuggling vulnerability to afflict HAProxy, as The Daily Swig previously reported on a similar issue disclosed by researchers from JFrog in September 2021.
RELATED CONTENT OAuth ‘masterclass’ recognized as the top web hacking technique of 2022
Based on an article from ports wigger: https://portswigger.net/daily-swig/http-request-smuggling-bug-patched-in-haproxy
