#VU55969 Input validation error in HAProxy - CVE-2021-39240

Cybersecurity Help s.r.o.

Published: 2021-08-18

Vulnerability identifier: #VU55969

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-39240

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HAProxy
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: HAProxy

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP/2 requests. HAProxy does not ensure that the scheme and path portions of a URI have the expected characters, e.g. the authority field on a target HTTP/2 server might differ from what the routing rules were intended to achieve. A remote attacker can send specially crafted input to the application and bypass implemented security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

HAProxy: 2.2.0 - 2.2.15, 2.3.0 - 2.3.12, 2.4.0 - 2.4.2

External links
https://git.haproxy.org/?p=haproxy.git;a=commit;h=a495e0d94876c9d39763db319f609351907a31e8
https://git.haproxy.org/?p=haproxy.git;a=commit;h=4b8852c70d8c4b7e225e24eb58258a15eb54c26e
https://www.mail-archive.com/haproxy@formilux.org/msg41041.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.8

Multiple vulnerabilities in OpenShift Container Platform 4.9

openEuler update for haproxy

Fedora 33 update for haproxy

Debian update for haproxy

Multiple vulnerabilities in HAProxy

Fedora 34 update for haproxy