Exploitation of this vulnerability could allow attackers to gain access to backend servers.
HAProxy, a widely used open-source load balancer and reverse proxy, has released a fix for a vulnerability that could potentially allow attackers to carry out HTTP request smuggling attacks.
By sending a carefully crafted HTTP request, attackers could circumvent HAProxy’s filters and obtain unauthorized access to backend servers.
Impact of Dropped Headers
As stated in a notice from Willy Tarreau, the maintainer of HAProxy, “a properly crafted HTTP request can cause HAProxy to drop vital header fields such as Connection, Content-Length, Transfer-Encoding, Host, etc., after parsing and processing them.”
This malfunction can mislead HAProxy into sending requests to backend servers without applying necessary filters.
This technique can be exploited to bypass authentication checks on specific URLs or grant attackers access to restricted resources. While the vulnerability is relatively easy to exploit, its effectiveness varies depending on the web server being targeted and the extent to which it relies on HAProxy filters for security.
“It only requires a moderate understanding of the HTTP protocol and knowledge of how smuggling attacks function,” Tarreau noted in an interview with The Daily Swig.
“I believe that seasoned HTTP vulnerability seekers will quickly grasp how to exploit this flaw and need only a couple of tests to validate their theories, which is why it wasn’t necessary to provide extensive details.”
Vulnerability Timeline
This vulnerability was identified by a research group from Northeastern University, Akamai Technologies, and Google during their testing.
According to Tarreau, the flaw has existed since version 2.0 of HAProxy, which was released in June 2019.
“Any configuration supporting HTTP/1 on both client and server is vulnerable unless it’s operating on the patched version or follows the workaround I suggested,” Tarreau explained, suggesting that this affects nearly all exposed deployments.
Instances located deeper within the infrastructure, such as API gateways, remain unaffected since no application or front proxy would create such malformed requests.
Currently, Tarreau manages seven versions of HAProxy and has provided patches for all of them.
“A load balancer is essential in any infrastructure, and users typically refrain from upgrading unless absolutely necessary or if seeking new features,” Tarreau said.
“To accommodate this, we support each stable version for five years, giving users ample time to test and upgrade.”
Recommended Workaround
For those unable to upgrade to the latest version immediately, Tarreau has recommended a temporary configuration-based workaround that detects the internal conditions brought about by the exploitation of this vulnerability.
Additionally, for users operating older versions of HAProxy, Tarreau’s notice advises: “If you’re using an outdated version… the best short-term action is to upgrade to the next available branch, as it will pose the fewest surprises or changes.”
“Please refrain from requesting assistance for upgrading old versions; if you have not prioritized updating for five years, it is unlikely anyone will assist you in catching up.”
This is not the first significant HTTP request smuggling vulnerability concerning HAProxy, as The Daily Swig reported on a similar issue disclosed by JFrog researchers in September 2021.
Might you also be interested in OAuth ‘masterclass’ crowned top web hacking technique of 2022
Based on an article from portsweigger.net: https://portswigger.net/daily-swig/http-request-smuggling-bug-patched-in-haproxy
