A critical security vulnerability has been disclosed in HAProxy that could be abused by an adversary to possibly smuggle HTTP requests, resulting in unauthorized access to sensitive data and execution of arbitrary commands, effectively opening the door to an array of attacks.

HAProxy is a multi-purpose, software-based infrastructure component that can fulfill several networking functions including load balancer, delivery controller, SSL/TLS termination, web server, proxy server and API mediator, explains Michael Isbitski, Technical Evangelist at Salt Security, a Palo Alto, Calif.-based provider of API security. “It’s a popular free open source choice along with F5 NGINX.”

HAProxy is also shipped with most mainstream Linux distributions and is often deployed by default in cloud platforms, according to JFrog Security research teams, who responsibly disclosed this vulnerability and worked together with HAProxy’s maintainers on verifying the fix.

HAProxy deployments are prominent in many organizational networks and the collective Internet, Isbitski adds. “Organizations operating HAProxy instances should update to the latest recommended versions to mitigate a number of security risks. Depending on how a given HAProxy instance is deployed, potential risks include user session hijacking, authorization bypass, sensitive data exposure, unauthorized command execution, and unauthorized data modification.”

The vulnerability, tracked as CVE-2021-40346, has a severity rating of 8.6 on the CVSS scoring system and has been rectified in HAProxy versions 2.0.25, 2.2.17, 2.3.14, and 2.4.4. Adversaries who access the code can run static application security tests to determine weaknesses. Once they’ve found a potential vulnerability to exploit, they can execute large-scale attacks, says Setu Kulkarni, Vice President, Strategy at NTT Application Security, a San Jose, Calif.-based application security provider.

Kulkarni adds, “In the case of HAProxy, the key is to upgrade to the latest version of the software package where the vulnerability has been fixed – the burden of this task has to be shared equally by DevOps, SecOps and RunOps teams to ensure that the system continues to remain operational as a critical component as HAProxy is being upgraded.”

In a real-world attack scenario, the vulnerability could be used to trigger an HTTP request smuggling attack. Also called HTTP resynchronization, this technique is a web application attack that tampers how a website processes sequences of HTTP requests received from more than one user. HTTP request smuggling also takes advantage of parsing inconsistencies in how front-end servers and back-end servers process requests from the senders. 

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, says, “This vulnerability has the potential to have a wide-spread impact, but fortunately, there are plenty of ways to mitigate the risk posed by this HAProxy vulnerability, and many users most likely have already taken the necessary steps to protect themselves. CVE-2021-40346 is mitigated if HAProxy has been updated to one of the latest four versions of the software. Or if an HAProxy upgrade is not possible, there is a configuration change that can be used as a workaround.”

Like with most vulnerabilities, CVE-2021-40346 can’t be exploited without severe user negligence, Bar-Dayan says. “The HAProxy team has been responsible in their handling of the bug. It is highly likely that the institutional cloud and application services that use HAProxy in their stack have either applied upgrades or made the requisite configuration changes by now. Now it is up to all HAProxy users to run an effective vulnerability remediation program to protect their businesses from this very real threat.”