A critical security flaw has been discovered in the HAProxy server allowing an attacker to smuggle HTTP requests to execute arbitrary commands and access sensitive data.
HAProxy is a popular open-source load balancer and proxy server.
The issue was labelled as CVE-2021-40346. It has been fixed in 2.4.4, 2.0.25, 2.3.14, and 2.2.17 versions of HAProxy. HTTP Request Smuggling is a web application attack that alters the way HTTP requests are handled by a website.
The HTTP Request Smuggling method, also known as HTTP desynchronization, takes advantage of parsing discrepancies in how front-end and back-end servers handle requests received from more than one user.
“An adversary typically exploits this technique by sending a specially crafted request that includes an additional request in its body. On a successful attack, the inner request is smuggled through the frontend (that considers it as only the request’s body) but is consumed as a normal request by the backend,” Frog Security, who discovered the flaw, said in a report published on Tuesday.
The flaw could be exploited to launch an HTTP request smuggling attack that uses HTTP rules to bypass the ACL rules set by HAProxy. An attacker could then exploit an integer overflow vulnerability in HTTP to execute arbitrary code in a vulnerable server:
“The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in HAProxy while parsing an HTTP request — specifically — in the logic that deals with Content-Length headers,” researchers from JFrog Security said.
Following a disclosure about a flaw in HAProxy, the company added size checks for the name and value lengths. “As a mitigation measure, it is sufficient to verify that no more than one such [content-length] header is present in any message,” Willy Tarreau, HAProxy’s main developer, noted in its September 3 GitHub commit.