HAProxy urges users to update after HTTP request smuggling vulnerability found

The vulnerability was announced earlier this week by researchers with JFrog, who released a report on the problem.

Users of HAProxy 2.0 and later versions are being urged to push through updates after a vulnerability was found that could allow "an attacker to bypass the check for a duplicate HTTP Content-Length header, permitting a request smuggling attack or a response-splitting attack."

"Our analysis confirmed that the duplication is achieved by making use of the memory layout of HAProxy's internal representation of an HTTP message to slip a select character from the header's name to its value," HAProxy explained in a blog.

"Due to the difficulty in executing such an attack, the risk is low."

HAProxy provided a list of affected and fixed versions while also providing a workaround for those who cannot update right away.

The vulnerability was announced earlier this week by researchers with JFrog, who released a report on the problem.

JFrog researchers Ori Hollander and Or Peles wrote that CVE-2021-40346 is an Integer Overflow vulnerability that makes it possible to conduct an HTTP Request Smuggling attack, explaining that it has a CVSSv3 score of 8.6. 

"This attack allows an adversary to 'smuggle' HTTP requests to the backend server, without the proxy server being aware of it," the researchers said, commending HAProxy CTO Willy Tarreau and their security team for "promptly and professionally handling this issue."

Tarreau released his own note on the issue, thanking JFrog for their work.

"Quite honestly, they've done an excellent job at spotting this one because it's not every day that you manage to turn a single-bit overflow into an extra request, and figuring this required to dig deeply into the layers," Tarreau said. 

Vulcan Cyber CEO Yaniv Bar-Dayan said the HAProxy load balancing software is "one of the most commonly used components of our digital age," calling it "plumbing used to build the infrastructure behind the Web." Bar-Dayan explained that it is distributed with Linux operating systems and by cloud service providers and is used in production by some of the world's largest web services and applications. 

"This vulnerability has the potential to have a wide-spread impact, but fortunately, there are plenty of ways to mitigate the risk posed by this HAProxy vulnerability, and many users most likely have already taken the necessary steps to protect themselves," Bar-Dayan told ZDNet

"CVE-2021-40346 is mitigated if HAProxy has been updated to one of the latest four versions of the software. Like with most vulnerabilities, CVE-2021-40346 can't be exploited without severe user negligence. The HAProxy team has been responsible in their handling of the bug. Most likely, the institutional cloud and application services that use HAProxy in their stack have either applied upgrades or made the requisite configuration changes by now. Now it is up to all HAProxy users to run an effective vulnerability remediation program to protect their businesses from this very real threat."

Michael Isbitski, the technical evangelist at Salt Security, added that HAProxy is a multi-purpose, software-based infrastructure component that can fulfill a number of networking functions, including load balancer, delivery controller, SSL/TLS termination, web server, proxy server and API mediator. 

"It's a popular free open source choice along with F5 NGINX. HAProxy deployments are prominent in many organizational networks and the collective Internet," Isbitski said. 

"Depending on how a given HAProxy instance is deployed, potential risks include user session hijacking, authorization bypass, sensitive data exposure, unauthorized command execution and unauthorized data modification."

Other experts, like NTT Application Security vice president Setu Kulkarni, noted that HAProxy has over 500 million downloads from dockerhub and for an adversary, targeting such widely used critical components that are open source is a lucrative option, Kulkarni said. 

"With access to code, they can now pretty much run static application security tests to determine weaknesses, and once they've found a potential vulnerability to exploit, they can execute large scale attacks. In the case of HAProxy, the key is to upgrade to the latest version of the software package where the vulnerability has been fixed -- the burden of this task has to be shared equally by DevOps, SecOps and RunOps teams to ensure that the system continues to remain operational as a critical component as HAProxy is being upgraded," Kulkarni said.