Home News HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack

    HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack


    A essential safety vulnerability has been disclosed in HAProxy, a extensively used open-source load balancer and proxy server, that could possibly be abused by an adversary to probably smuggle HTTP requests, leading to unauthorized entry to delicate knowledge and execution of arbitrary instructions, successfully opening the door to an array of assaults.

    Tracked as CVE-2021-40346, the Integer Overflow vulnerability has a severity ranking of 8.6 on the CVSS scoring system and has been rectified in HAProxy variations 2.0.25, 2.2.17, 2.3.14 and a pair of.4.4.

    HTTP Request Smuggling, because the title implies, is an internet utility assault that tampers the style a web site processes sequences of HTTP requests obtained from a couple of person. Additionally referred to as HTTP desynchronization, the method takes benefit of parsing inconsistencies in how front-end servers and back-end servers course of requests from the senders.

    Entrance-end servers are sometimes load balancers or reverse proxies which are utilized by web sites to handle a sequence of inbound HTTP requests over a single connection and ahead them to a number of back-end servers. It is due to this fact essential that the requests are processed accurately at each ends in order that the servers can decide the place one request ends and the subsequent one begins, a failure of which may end up in a state of affairs the place malicious content material appended to 1 request will get added to the beginning of the subsequent request.

    In different phrases, as a consequence of an issue arising from how front-end and back-end servers work out the start and finish of every request by utilizing the Content-Length and Transfer-Encoding headers, the tip of a rogue HTTP request is miscalculated, leaving the malicious content material unprocessed by one server however prefixed to the start of the subsequent inbound request within the chain.

    “The assault was made potential by using an integer overflow vulnerability that allowed reaching an sudden state in HAProxy whereas parsing an HTTP request — particularly — within the logic that offers with Content material-Size headers,” researchers from JFrog Safety said in a report printed on Tuesday.

    In a possible real-world assault state of affairs, the flaw could possibly be used to set off an HTTP request smuggling assault with the aim of bypassing ACL (aka access-control record) guidelines defined by HAProxy, which permits customers to outline customized guidelines for blocking malicious requests.

    Following accountable disclosure, HAProxy remediated the weak spot by including measurement checks for the title and worth lengths. “As a mitigation measure, it’s ample to confirm that no a couple of such [content-length] header is current in any message,” Willy Tarreau, HAProxy’s creator and lead developer, noted in a GitHub commit pushed on September 3.

    Prospects who can’t improve to the aforementioned variations of the software program are really useful so as to add the beneath snippet to the proxy’s configuration to mitigate the assaults —

    http-request deny if { req.hdr_cnt(content-length) gt 1 }

    http-response deny if { res.hdr_cnt(content-length) gt 1 }

    Source link