Exploitation of this bug can allow attackers to gain access to backend servers.
HAProxy, a widely used open source load balancer and reverse proxy, has addressed a critical vulnerability that permitted attackers to execute HTTP request smuggling attacks.
Through the submission of specially crafted HTTP requests, an attacker could potentially sidestep HAProxy’s protective filters, allowing unauthorized access to backend servers.
Header Manipulation
A statement from Willy Tarreau, the lead maintainer of HAProxy, indicated that “an accurately formed HTTP request can prompt HAProxy to discard essential headers such as Connection, Content-length, Transfer-Encoding, and Host after initial processing.”
This behavior may lead HAProxy to forward requests to the backend server without applying appropriate filters.
Consequently, this could allow exploitation of HAProxy’s authentication mechanisms for various URLs or provide attackers access to restricted resources. The ease of exploitation varies based on the specific web server and its reliance on HAProxy’s filters for protection.
“It simply requires moderate familiarity with the HTTP protocol and an understanding of smuggling techniques,” said Tarreau in an interview with The Daily Swig.
“I believe individuals actively probing for HTTP vulnerabilities will quickly grasp how to exploit this issue and will likely only need a couple of trials to test their theories, which is why further details weren’t deemed necessary.”
Long-Standing Vulnerability
This vulnerability was identified by a research collaboration involving Northeastern University, Akamai Technologies, and Google while conducting tests.
According to Tarreau, the flaw has been present since HAProxy version 2.0, which debuted in June 2019.
“Any configuration utilizing HTTP/1 between the client and server is at risk unless it’s operating on a patched version or using the suggested workaround,” he remarked. “This encompasses almost all exposed deployments.”
Instances situated further within the infrastructure, such as API gateways, are not affected since no application or front proxy will generate such erroneous requests.
Currently, Tarreau is maintaining seven versions of HAProxy, providing necessary updates for each.
“As a load balancer is a vital part of any infrastructure, users typically prefer not to upgrade unless absolutely essential or when they require new features,” Tarreau explained.
“Therefore, each stable release is supported for five years, allowing ample time for users to validate and transition to a new version.”
Temporary Solution
For those unable to upgrade immediately, Tarreau has recommended a temporary configuration-based workaround that can detect and mitigate internal conditions that enable exploitation.
For users on legacy versions of HAProxy, Tarreau emphasizes the importance of upgrading to the next available version to minimize unexpected issues.
“Please refrain from requesting assistance for upgrades from outdated versions. If you have neglected updates for five years, it’s unlikely anyone will want to assist you in catching up,” he advised.
This isn’t the first substantial HTTP request smuggling issue to challenge HAProxy, with The Daily Swig previously discussing a similar vulnerability uncovered by JFrog researchers in September 2021.
You might also be interested in OAuth ‘masterclass’ recognized as the top web hacking technique of 2022
Based on an article from portsweigger.net: https://portswigger.net/daily-swig/http-request-smuggling-bug-patched-in-haproxy
