Puma, the popular, simple, and high-performance Ruby/Rack webserver, has been found susceptible to a security vulnerability known as HTTP request smuggling. This vulnerability may cause Puma and the front-end proxy to disagree on where an HTTP request starts and ends, potentially leading to security breaches. The vulnerability has been addressed in Puma versions 5.6.4 and 4.3.12, and users are strongly encouraged to upgrade as soon as possible.

Description

HTTP request smuggling (HRS) is an attack that takes advantage of discrepancies between how different systems interpret and handle HTTP requests. In the case of CVE-2022-24790, Puma may improperly parse incoming HTTP requests when deployed behind a proxy that does not validate the requests according to the RFC723 standard. This vulnerability can allow attackers to smuggle malicious HTTP requests through the front-end proxy to Puma, potentially leading to unauthorized access, data leakage, or other security risks.

To better understand the vulnerability, consider the following code snippet

# Puma configuration
workers 2
threads 1, 2
port 300


In this example, Puma is configured with two workers and up to two threads per worker. If a front-end proxy does not properly validate incoming HTTP requests, Puma may interpret a single request as multiple requests, or multiple requests as a single request. This can result in Puma serving unexpected or malicious content.

Exploit Details

An attacker can exploit this vulnerability by crafting specially prepared HTTP requests that exploit the differences in how the front-end proxy and Puma interpret the request. Specific details of the exploit can be found at the original vulnerability disclosure announcement: https://hackerone.com/reports/143694

Mitigation and Remediation

To mitigate this vulnerability, users of Puma should immediately upgrade to version 5.6.4 or 4.3.12, as the issue has been fixed in these releases.

# Upgrade Puma to the latest version
gem update puma


Another workaround is to ensure the front-end proxy deployed in front of Puma has validation mechanisms to ensure compliance with the RFC723 standard. This will help to prevent discrepancies between the proxy and Puma, thereby reducing the risk of HTTP request smuggling attacks.

# Example of Nginx configuration to validate incoming HTTP requests
server {
  ...
  ## Ensure proper validation of incoming requests
  large_client_header_buffers 4 8k;
  client_body_buffer_size 16k;
  ...
}

Conclusion

Puma users should be aware of the CVE-2022-24790 vulnerability, which can lead to HTTP request smuggling. It is highly recommended to upgrade to the fixed versions (5.6.4 or 4.3.12) and ensure proper validation of incoming HTTP requests by the front-end proxy to mitigate this risk.

Stay safe and secure by keeping your software up-to-date!

Timeline

Published on: 03/30/2022 22:15:00 UTC
Last modified on: 08/27/2022 21:15:00 UTC