HAProxy - Vulnerable to Critical HTTP Request Smuggling Attacks
Reading Time: 2 minutes

HAProxy, a widely-used open source load balancer, and proxy server are vulnerable to critical HTTP request smuggling attacks. The threat actors are able to exploit the vulnerability tracked as CVE-2021-40346 to gain unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks.

The Integer Overflow vulnerability has a severity rating of 8.6 on the CVSS scoring system. The vulnerability was addressed in the earlier HAProxy versions 2.0.25, 2.2.17, 2.3.14, and 2.4.4.

The flaw allows threat actors to launch a web application attack that tampers the manner a website processes sequences of HTTP requests received from more than one user. It is also known as HTTP desynchronization, where it takes advantage of parsing inconsistencies in how front-end servers and back-end servers process requests from the senders.

Websites generally use the front-end servers i.e. load balancers or reverse proxies to manage a chain of inbound HTTP requests over a single connection and forward them to more or many back-end servers. Which makes it important the requests are processed correctly at both ends. This makes it possible for the server to determine the start and endpoint of each request. A failure in doing so may result in a scenario where malicious content appended to one request gets added to the start of the next request.

According to a report published by researchers from JFrog Security on Tuesday, “The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request — specifically — in the logic that deals with Content-Length headers.”

In a real-life scenario, the flaw can be used to trigger an HTTP request smuggling attack with the goal of bypassing ACL (aka access-control list) rules defined by HAProxy, which enables users to define custom rules for blocking malicious requests.

HAProxy has been proactive to the weakness, added size checks for the name and value lengths.

Willy Tarreau, HAProxy’s creator and lead developer, noted in a GitHub commit pushed on September 3 said, “As a mitigation measure, it is sufficient to verify that no more than one such [content-length] header is present in any message.”

Users who are not able to upgrade to the above-mentioned versions of the software can add the below-mentioned snippet to the proxy’s configuration to mitigate the attacks.

[callout bg=’#f2f2f2′ radius=’3′ radius=’14’]http-request deny if { req.hdr_cnt(content-length) gt 1 } [/callout]

[callout bg=’#f2f2f2′ radius=’3′ radius=’14’]http-response deny if { res.hdr_cnt(content-length) gt 1 }[/callout]

Related Articles:

Cloudflare Wards off the Largest DDoS attack involving 17.2 million rps
Free Rapid Ransomware Removal Tools
Only Fans Slut Account Hacked