Researchers on Tuesday reported that they found a critical vulnerability in HAProxy, a popular open source load balancer geared for high-traffic websites that’s used by many leading companies, gets shipped with many Linux distributions, and is deployed in cloud platforms.
JFrog Security disclosed the vulnerability in a blog post and worked with HAProxy’s maintainers to verify and complete the fix. The researchers classified the vulnerability — CVE-2021-40346 — as an Integer Overflow vulnerability that lets attackers conduct an HTTP Request Smuggling attack, which gives it a CVSSv3 score of 8.6.
According to the researchers, this attack let an adversary “smuggle” HTTP requests to the back-end server without the proxy server being aware of it. The smuggled requests can lead to the following negative results: bypass security controls, including any access control lists defined in HAProxy; gain unauthorized access to sensitive data; execute unauthorized commands or modify data; hijack user sessions; and exploit a cross-site script vulnerability without user interaction.
HAProxy load balancing software has become one of the most commonly used components of our digital age, said Yaniv Bar-Dayan, co-founder and CEO at Vulcan Cyber. Bar-Dayan considers HAProxy the plumbing used to build the infrastructure behind the web, adding that it gets distributed with Linux operating systems and by cloud service providers.
“This vulnerability has the potential to have a widespread impact, but fortunately there are plenty of ways to mitigate risk posed by this HAProxy vulnerability, and many users most likely have already taken the necessary steps to protect themselves,” Bar-Dayan said. “Security teams can mitigate CVE-2021-40346 by updating HAProxy to one of the latest four versions of the software. If an HAProxy upgrade is not possible, there’s a configuration change security teams can use as a workaround.”
Setu Kulkarni, vice president, strategy at NTT Application Security, said that HAProxy has more than 500 million downloads from Docker Hub. At the same time, Kulkarni added that HAProxy is open-source, which allows for easy access to the programming logic.
“For an adversary, targeting such widely used critical components that are open source is a lucrative option,” Kulkarni said. “With access to code, they can pretty much run static application security tests to determine weaknesses and once they’ve found a potential vulnerability to exploit, they can then execute large-scale attacks. In the case of HAProxy, the key is to upgrade to the latest version of the software package where the vulnerability has been fixed."
Chuck Everette, director of cybersecurity advocacy at Deep Instinct, said these HTTP smuggling attacks let cybercriminals bypass front-end security controls and access to back-end servers. In turn, Everette said this lets attackers bypass ACLs and gain access to critical systems and data, inject malware, extract data, and hijack credentials — attack vectors they can then leverage at a later date to infect other systems and further spread throughout an organization's environments.
“One of the more reliable ways of defending against this is by deploying a web application firewall,” Everette said. “These firewalls inspect and sanitize hybrid data pipeline traffic, which includes looking for piggybacking, doubleheader, or smuggling attempts. Security teams should also ensure that the organization’s proxy hardware and load balancers are consistently looking at interpreting the HTTP headers uniformly. If the hardware runs inconsistent versions or configurations, it’s difficult for it to inspect and handle issues within the HTTP headers.”