Recent vulnerabilities could give intruders access to backend servers.
HAProxy, a well-known open source load balancer and reverse proxy, has corrected a vulnerability that could allow attackers to execute HTTP request smuggling attacks.
An attacker could exploit this vulnerability by sending a specially crafted HTTP request, enabling them to circumvent HAProxy’s security filters and gain unauthorized entry to backend servers.
Header Manipulation
In a report from Willy Tarreau, HAProxy’s maintainer, it was noted that “a suitably crafted HTTP request can lead HAProxy to disregard key header fields such as Connection, Content-length, Transfer-Encoding, and Host after parsing them.”
This behavior can mislead HAProxy into dispatching requests to the backend without enforcing proper filters.
For instance, this vulnerability can be leveraged to bypass authentication checks for specific URLs or grant attackers access to prohibited resources. Although the exploitation of this flaw is relatively straightforward, its consequences depend significantly on the target web server and its reliance on HAProxy’s filters.
“Medium proficiency in HTTP protocols and smuggling attack techniques is all that’s needed,” Tarreau shared with The Daily Swig.
“I expect that typical HTTP vulnerability hunters will quickly grasp the method to exploit this issue and might just need a couple of attempts to validate their findings, so I felt it unnecessary to provide further elaboration.”
Longstanding Vulnerability
The vulnerability was initially identified by researchers from Northeastern University, Akamai Technologies, and Google during testing phases.
According to Tarreau, this issue has been present since the release of HAProxy version 2.0 in June 2019.
“Any configuration that supports HTTP/1 on both client and server is exposed unless it has either been updated to the fixed version or incorporates my suggested workaround,” Tarreau emphasized. “This means that nearly all exposed deployments are vulnerable.”
Stay updated with the latest in web security by subscribing to our newsletter. Subscribe here
Deployments further down the infrastructure, like API gateways, remain unaffected since no application or front proxy will generate such faulty requests.
Tarreau is diligently maintaining seven versions of HAProxy and has provided fixes across all of them.
“A load balancer is crucial in any infrastructure, and generally, users prefer not to upgrade it unless absolutely necessary or for new functionalities,” Tarreau stated.
“Consequently, we support each stable version for five years, allowing ample time for users to validate a new release and upgrade when required.”
Temporary Solutions
For those unable to promptly update to the latest version, Tarreau has suggested a temporary configuration workaround that prevents attacks by identifying internal conditions caused by the vulnerability.
For users running earlier versions of HAProxy, Tarreau cautioned: “If you’re on an outdated version… your best short-term strategy is to upgrade to the next immediate branch, which should offer fewer surprises or changes.
“Please refrain from seeking assistance for upgrading outdated versions; if you haven’t cared about updates in five years, it’s unlikely others will be eager to help you catch up.”
This isn’t the first significant HTTP request smuggling vulnerability to impact HAProxy; The Daily Swig reported on a similar flaw found by JFrog researchers back in September 2021.
RELATED ARTICLES OAuth ‘masterclass’ recognized as the leading web hacking method of 2022
Based on an article from portswoogger.net: https://portswigger.net/daily-swig/http-request-smuggling-bug-patched-in-haproxy
