HAProxy Exposed to Critical HTTP Request Smuggling Attack

Open-source load balancer and proxy server HAProxy has been discovered to have a new security vulnerability. This issue enables attackers to smuggle HTTP requests, which results in the ability to access sensitive data and conduct arbitrary commands.

Alexander Alexander
Sep 9, 2021 - 04:07 Updated: Sep 9, 2021 - 04:08
HAProxy Exposed to Critical HTTP Request Smuggling Attack
HAProxy Exposed to Critical HTTP Request Smuggling Attack | Image credits: The Hacker News

Open-source load balancer and proxy server HAProxy have been discovered to have a new security vulnerability. This issue enables attackers to smuggle HTTP requests, which results in the ability to access sensitive data and conduct arbitrary commands, potentially exposing several avenues of attack, according to The Hacker News. CVE-2021-40346, listed as severity level 8.6 on the CVSS rating system, has been patched in HAProxy versions 2.0.25, 2.2.17, 2.3.14, and 2.4.4.

Cybersecurity researchers from JFrog Security note in a report "The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request — specifically — in the logic that deals with Content-Length headers," 

Attackers trick a website's request processing system into parsing code sent in HTTP requests from multiple users. In addition to the more common name of HTTP desynchronization, this technique makes use of different parsing rules being applied to requests sent from the sender by the front-end server and the back-end server.

Hackers can use this vulnerability to insert malicious content

A front-end server is a reverse proxy or load balancer that typically acts as a single connection between inbound HTTP requests and the website's back-end servers. A failure to do so could result in malicious content being inserted into the beginning of a new request due to incorrect processing at both ends.

As a result of a shortcoming in how the front-end and back-end servers handle the Content-Length and Transfer-Encoding headers to figure out the start and end of each request, the malicious content at the end of a rogue HTTP request may be incorrectly calculated and so remain unprocessed by one server, while being prefixed to the front of the next inbound request in the chain.

An attack of this vulnerability could potentially allow hackers to overcome HTTP request smuggling rules that are specified by HAProxy (which is the purpose of an access control list, or ACL).

Tags: