HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack

A critical security vulnerability has been disclosed in HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks.

Tracked as CVE-2021-40346, the Integer Overflow vulnerability has a severity rating of 8.6 on the CVSS scoring system and has been rectified in HAProxy versions 2.0.25, 2.2.17, 2.3.14 and 2.4.4.

HTTP Request Smuggling, as the name implies, is a web application attack that tampers the manner a website processes sequences of HTTP requests received from more than one user. Also called HTTP desynchronization, the technique takes advantage of parsing inconsistencies in how front-end servers and back-end servers process requests from the senders.

Front-end servers are typically load balancers or reverse proxies that are used by websites to manage a chain of inbound HTTP requests over a single connection and forward them to one or more back-end servers. It’s therefore crucial that the requests are processed correctly at both ends so that the servers can determine where one request ends and the next one begins, a failure of which can result in a scenario where malicious content appended to one request gets added to the start of the next request.

In other words, due to a problem arising from how front-end and back-end servers work out the beginning and end of each request by using the Content-Length and Transfer-Encoding headers, the end of a rogue HTTP request is miscalculated, leaving the malicious content unprocessed by one server but prefixed to the beginning of the next inbound request in the chain.

“The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request — specifically — in the logic that deals with Content-Length headers,” researchers from JFrog Security said in a report published on Tuesday.

In a potential real-world attack scenario, the flaw could be used to trigger an HTTP request smuggling attack with the goal of bypassing ACL (aka access-control list) rules defined by HAProxy, which enables users to define custom rules for blocking malicious requests.

Following responsible disclosure, HAProxy remediated the weakness by adding size checks for the name and value lengths. “As a mitigation measure, it is sufficient to verify that no more than one such [content-length] header is present in any message,” Willy Tarreau, HAProxy’s creator and lead developer, noted in a GitHub commit pushed on September 3.

Customers who cannot upgrade to the aforementioned versions of the software are recommended to add the below snippet to the proxy’s configuration to mitigate the attacks —

http-request deny if { req.hdr_cnt(content-length) gt 1 }

http-response deny if { res.hdr_cnt(content-length) gt 1 }