Connect with us

Hi, what are you looking for?

Cyber Security

HTTP request smuggling bug patched in HAProxy

HAProxy, the popular open source load balancer and reverse proxy, has patched a bug that could enable attackers to stage HTTP request smuggling attacks.

By sending a maliciously crafted HTTP request, an attacker could bypass the filters of HAProxy and gain unauthorized access to back-end servers.

Dropped headers

According to a notice by Willy Tarreau, the maintainer of HAProxy, “a properly crafted HTTP request can make HAProxy drop some important headers fields such as Connection, Content-length, Transfer-Encoding, Host, etc after having parsed and at least partially processed them”.

This can confuse HAProxy and force it to send requests to the back-end server without applying filters.

For example, it can be used to bypass HAProxy’s authentication checks for certain URLs or give attackers access to restricted resources. The vulnerability is not hard to exploit, but its impact depends on the target web server and how much it relies on HAProxy filters to secure its resources.

“It just requires moderate knowledge of the HTTP protocol and how a smuggling attack works,” Tarreau told The Daily Swig.

“I know that usual HTTP vuln seekers will immediately understand how to exploit this and will just need two-to-three tests to confirm their hypothesis, which is why it was really not needed to [include] more details.”

Bug present since 2019

The vulnerability was reported by a group of researchers at Northeastern University, Akamai Technologies, and Google who were running tests.

Tarreau said the vulnerability had existed since version 2.0 of HAProxy, which was released in June 2019.

“Any config supporting HTTP/1 on the client and HTTP/1 on the server is vulnerable unless it runs on the fixed version or it contains the workaround I proposed,” Tarreau said. “So that’s rather close to 100% of exposed deployments.”

Instances deployed deeper in the infrastructure, such as API gateways, are not at risk since no application nor front proxy will produce such invalid requests.

Tarreau is actively maintaining seven versions of HAProxy and has issued fixes for all of them.

“A load balancer is a critical component in an infrastructure, and generally users do not want to upgrade it unless absolutely necessary or if they need new features,” Tarreau said.

“Thus we maintain each stable version for five years so that they have plenty of time to validate a new one and upgrade when needed.”

Workaround

For those who are not able to immediately upgrade to the latest version, Tarreau has provided a temporary config-based workaround that blocks attacks by detecting the internal conditions caused by the exploitation of the bug.

Advertisement. Scroll to continue reading.

And for those who are running older versions of HAProxy, Tarreau’s notice warns: “If you’re running on an outdated version… the best short-term option will be to upgrade to the immediately next branch, which is the one that will give you the least surprise or changes.

“Please do not ask for help upgrading from outdated versions, if you didn’t care about updating in five years, it’s unlikely that anyone will care about helping you to catch up.”

The vulnerability is not the first serious HTTP request smuggling flaw to affect HAProxy, with The Daily Swig reporting on a similar issue afflicting the platform that was disclosed by JFrog researchers in September 2021.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/http-request-smuggling-bug-patched-in-haproxy

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO