At the heart of most modern web applications lies a load balancer, a critical component that ensures that incoming traffic is distributed evenly across multiple servers to avoid overloading any one server. One of the most popular load balancers is HAProxy, a free and open-source software that is widely used in enterprise environments.
However, a recent HAProxy vulnerability has been discovered that could allow attackers to bypass its filters and gain unauthorized access to back-end servers. In this article, we will explore the details of this vulnerability, its impact, and the steps that can be taken to mitigate it.
Dropped Headers in HAProxy
The HAProxy vulnerability involves dropped headers, which are important fields such as Connection, Content-length, Transfer-Encoding, Host, etc. After parsing and partially processing them, a properly crafted HTTP request can make HAProxy drop these fields, which can then confuse HAProxy and force it to send requests to the back-end server without applying filters.
This can allow attackers to bypass HAProxy’s authentication checks for certain URLs or give them access to restricted resources. While the vulnerability is not hard to exploit, its impact depends on the target web server and how much it relies on HAProxy filters to secure its resources.
The vulnerability was reported by a group of researchers at Northeastern University, Akamai Technologies, and Google who were running tests. Willy Tarreau, the maintainer of HAProxy, has stated that the vulnerability has existed since version 2.0 of HAProxy, which was released in June 2019.
Workaround for the HAProxy Vulnerability
For those who are not able to immediately upgrade to the latest version, Tarreau has provided a temporary config-based workaround that blocks attacks by detecting the internal conditions caused by the exploitation of the bug.
However, for those who are running older versions of HAProxy, Tarreau’s notice warns that the best short-term option will be to upgrade to the immediate next branch, which is the one that will give you the least surprise or changes. Tarreau emphasizes the importance of keeping load balancers up-to-date and says that stable versions of HAProxy are maintained for five years to allow users ample time to validate and upgrade to a new version when needed.
The recent HAProxy vulnerability involving dropped headers has highlighted the importance of keeping load balancers up-to-date and being vigilant about potential security risks. Users of HAProxy are advised to upgrade to the latest version as soon as possible or apply the temporary config-based workaround provided by the maintainer of HAProxy to mitigate the risk of attack.
In conclusion, the security of web applications is an ongoing concern, and it is important for developers and system administrators to stay informed about potential vulnerabilities and take the necessary steps to secure their systems.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.