A serious security vulnerability existed in HAProxy that could allow HTTP request smuggling attacks. The vulnerability affected almost all HAProxy versions, which the maintainer patched accordingly.
HAProxy Vulnerability Could Trigger HTTP Content Smuggling
The HAProxy maintainer, Willy Tarreau, has recently shared details about a serious HTTP request smuggling vulnerability in HAProxy.
HAProxy is a dedicated high-performance, open-source load balancer and reverse proxy tool for HTTP and TCP applications. It distributes workloads and improves the website’s performance via reduced response times and increased throughput.
According to Tarreau’s notice, he came to know of the vulnerability following a report from a team of researchers.
Briefly, the flaw existed in HAProxy header processing, allowing HTTP content smuggling attacks. A maliciously crafted HTTP request could trigger HAProxy to “drop some important headers fields” after parsing. In turn, it would create extra requests to the server, letting the subsequent requests bypass HAProxy filters.
An adversary could exploit the flaw to access restricted content, bypass URL authentication, or achieve other malicious purposes on a target website.
Tarreau explained that crafting such an attack was not trivial. But it wasn’t impossible either, particularly for an attacker acquainted with HTTP internals.
Bug Fix Released
HAProxy’s maintainer confirmed that the vulnerability affected almost app versions. These include HTX-aware versions 2.0 and above and non-HTX versions 1.9 and before or version 2.0 in legacy mode. However, the impact of the vulnerability isn’t the same across all versions.
Upon confirming the vulnerability, Tarreau started working on a fix, releasing it across all HAProxy versions. The patched versions include 2.8-dev4, 2.7.3, 2.6.9, 2.5.12, 2.4.12, 2.2.29, and 2.0.31.
For HAProxy users, the recommends upgrading to the patched version of their relevant branch as the best strategy to stay safe. Nonetheless, for those who cannot manage immediate upgrades, Tarreau has shared a workaround that rejects requests attempting to trigger the flaw with a 403 error. The admins can then note the rising 403 error entries in the log to identify exploitation attempts.
While this workaround serves well, it cannot guarantee foolproof security. So, upgrading to a patched version is the ultimate permanent solution.
Let us know your thoughts in the comments.