HAProxy Vulnerability Leads to HTTP Request Smuggling
A critical security vulnerability in HAProxy could allow attackers to bypass security controls and access sensitive data without authorization, according to a warning from security research outfit JFrog.
An attacker could exploit the vulnerability – tracked as CVE-2021-40346 (CVSS score of 8.6) – to bypass duplicate HTTP Content-Length header checks. Thus, the attacker could smuggle HTTP requests to the backend server without the proxy server noticing it, or launch a response-splitting attack.
“Our analysis confirmed that the duplication is achieved by making use of the memory layout of HAProxy’s internal representation of an HTTP message to slip a select character from the header’s name to its value. Due to the difficulty in executing such an attack, the risk is low,” according to an HAProxy advisory.
Researchers with JFrog Security, the company credited with discovering the bug, describe the issue as integer overflow in the HAProxy’s parsing of HTTP requests. Specifically, it affects the logic related to the processing of Content-Length headers, in the line responsible for setting a header’s name and value lengths.
In an HTTP request smuggling attack, an adversary targets the HTTP requests between the frontend and backend servers by sending specially crafted requests containing an additional request. This results in the inner request being smuggled through the frontend, mainly because the same established TCP connection is used to forward the requests to the backend.
JFrog researchers crafted a POST request that contains a GET request in its body. Because of the manner in which the POST request’s header is created, HAProxy ends up forwarding it to the backend server with a value length of 0, meaning that it has no body.
The backend server then parses the request as having no body, and then expects to receive the next request on the same connection. Thus, the GET request that was in fact the POST’s body is treated as a legitimate request, resulting in bypassing HAProxy’s ACL filtering.
“HAProxy is only aware of a single HTTP request being forwarded and thus only returns a single HTTP response (the first) from the backend server back to the client,” according to JFrog’s documentation of the problem.
HAProxy versions 2.0.25, 2.2.17, 2.3.14 or 2.4.4 address the issue with size checks for both name and value lengths. Thus, it is recommended to update HAProxy as soon as possible. Workarounds to mitigate the issue are available as well, if updating isn’t possible.