HTTP request smuggling bug patched in HAProxy

Exploitation could enable attackers to access backend servers

HAProxy, the popular open source load balancer and reverse proxy, has patched a bug that could enable attackers to stage HTTP request smuggling attacks.

By sending a maliciously crafted HTTP request, an attacker could bypass the filters of HAProxy and gain unauthorized access to back-end servers.

Dropped headers

According to a notice by Willy Tarreau, the maintainer of HAProxy, “a properly crafted HTTP request can make HAProxy drop some important headers fields such as Connection, Content-length, Transfer-Encoding, Host, etc after having parsed and at least partially processed them”.

This can confuse HAProxy and force it to send requests to the back-end server without applying filters.

For example, it can be used to bypass HAProxy’s authentication checks for certain URLs or give attackers access to restricted resources. The vulnerability is not hard to exploit, but its impact depends on the target web server and how much it relies on HAProxy filters to secure its resources.

“It just requires moderate knowledge of the HTTP protocol and how a smuggling attack works,” Tarreau told The Daily Swig.

“I know that usual HTTP vuln seekers will immediately understand how to exploit this and will just need two-to-three tests to confirm their hypothesis, which is why it was really not needed to [include] more details.”

Bug present since 2019

The vulnerability was reported by a group of researchers at Northeastern University, Akamai Technologies, and Google who were running tests.

Tarreau said the vulnerability had existed since version 2.0 of HAProxy, which was released in June 2019.

“Any config supporting HTTP/1 on the client and HTTP/1 on the server is vulnerable unless it runs on the fixed version or it contains the workaround I proposed,” Tarreau said. “So that’s rather close to 100% of exposed deployments.”

Want the latest web security news sent straight to your inbox? Sign up to our newsletter here

Instances deployed deeper in the infrastructure, such as API gateways, are not at risk since no application nor front proxy will produce such invalid requests.

Tarreau is actively maintaining seven versions of HAProxy and has issued fixes for all of them.

“A load balancer is a critical component in an infrastructure, and generally users do not want to upgrade it unless absolutely necessary or if they need new features,” Tarreau said.

“Thus we maintain each stable version for five years so that they have plenty of time to validate a new one and upgrade when needed.”

Workaround

For those who are not able to immediately upgrade to the latest version, Tarreau has provided a temporary config-based workaround that blocks attacks by detecting the internal conditions caused by the exploitation of the bug.

And for those who are running older versions of HAProxy, Tarreau’s notice warns: “If you’re running on an outdated version… the best short-term option will be to upgrade to the immediately next branch, which is the one that will give you the least surprise or changes.

“Please do not ask for help upgrading from outdated versions, if you didn’t care about updating in five years, it’s unlikely that anyone will care about helping you to catch up.”

The vulnerability is not the first serious HTTP request smuggling flaw to affect HAProxy, with The Daily Swig reporting on a similar issue afflicting the platform that was disclosed by JFrog researchers in September 2021.

YOU MAY ALSO LIKE OAuth ‘masterclass’ crowned top web hacking technique of 2022