Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
    Dublin
  • County:
    Dublin
  • Country:
    Ireland
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

HAProxy Found Vulnerable to Critical HTTP Request Smuggling Attack

September 8, 2021

A essential safety vulnerability has been disclosed in HAProxy, a extensively used open-source load balancer and proxy server, that could possibly be abused by an adversary to probably smuggle HTTP requests, leading to unauthorized entry to delicate information and execution of arbitrary instructions, successfully opening the door to an array of assaults.

Tracked as CVE-2021-40346, the Integer Overflow vulnerability has a severity ranking of 8.6 on the CVSS scoring system and has been rectified in HAProxy variations 2.0.25, 2.2.17, 2.3.14 and a couple of.4.4.

HTTP Request Smuggling, because the title implies, is an internet software assault that tampers the style an internet site processes sequences of HTTP requests acquired from multiple person. Additionally known as HTTP desynchronization, the method takes benefit of parsing inconsistencies in how front-end servers and back-end servers course of requests from the senders.

Entrance-end servers are sometimes load balancers or reverse proxies which might be utilized by web sites to handle a sequence of inbound HTTP requests over a single connection and ahead them to a number of back-end servers. It is due to this fact essential that the requests are processed accurately at each ends in order that the servers can decide the place one request ends and the following one begins, a failure of which can lead to a state of affairs the place malicious content material appended to 1 request will get added to the beginning of the following request.

In different phrases, attributable to an issue arising from how front-end and back-end servers work out the start and finish of every request by utilizing the Content-Length and Transfer-Encoding headers, the tip of a rogue HTTP request is miscalculated, leaving the malicious content material unprocessed by one server however prefixed to the start of the following inbound request within the chain.

“The assault was made doable by using an integer overflow vulnerability that allowed reaching an sudden state in HAProxy whereas parsing an HTTP request — particularly — within the logic that offers with Content material-Size headers,” researchers from JFrog Safety said in a report revealed on Tuesday.

In a possible real-world assault state of affairs, the flaw could possibly be used to set off an HTTP request smuggling assault with the aim of bypassing ACL (aka access-control record) guidelines defined by HAProxy, which permits customers to outline customized guidelines for blocking malicious requests.

Following accountable disclosure, HAProxy remediated the weak point by including dimension checks for the title and worth lengths. “As a mitigation measure, it’s enough to confirm that no multiple such [content-length] header is current in any message,” Willy Tarreau, HAProxy’s creator and lead developer, noted in a GitHub commit pushed on September 3.

Prospects who can not improve to the aforementioned variations of the software program are really useful so as to add the under snippet to the proxy’s configuration to mitigate the assaults —

http-request deny if { req.hdr_cnt(content-length) gt 1 }

http-response deny if { res.hdr_cnt(content-length) gt 1 }

Posted in SecurityTags:
Write a comment