HAProxy, a widely used open-source load balancer and proxy server, that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands.
Tracked as CVE-2021-40346,has a severity rating of 8.6 on the CVSS scoring system and has been rectified in HAProxy versions 2.0.25, 2.2.17, 2.3.14 and 2.4.4.
HTTP Request Smuggling,is a web application attack that tampers a website processes sequences of HTTP requests received from more than one user. Also called HTTP desynchronization, the technique takes advantage of parsing inconsistencies in how front-end servers and back-end servers process requests from the senders.
Front-end servers are typically load balancers or reverse proxies that are used by websites to manage a chain of inbound HTTP requests over a single connection and forward them to one or more back-end servers. It’s crucial that the requests are processed correctly at both ends so that the servers can determine where one request ends and the next one begins, a failure of which can result in a scenario where malicious content appended to one request gets added to the start of the next request.
The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request specifically in the logic that deals with Content-Length headers.
The flaw could be used to trigger an HTTP request smuggling attack with the goal of bypassing ACL rules defined by HAProxy, which enables users to define custom rules for blocking malicious requests.
HAProxy remediated the weakness by adding size checks for the name and value lengths. As a mitigation measure, it is sufficient to verify that no more than one such header is present in any message.
Customers who cannot upgrade to the aforementioned versions of the software are recommended to add the below snippet to the proxy’s configuration to mitigate the attacks