CVE-2023-25725 - HAProxy Access Control Bypass Due to HTTP/1 Header Loss and Request Smuggling

CVE-2023-25725 - HAProxy Access Control Bypass Due to HTTP/1 Header Loss and Request Smuggling

A security vulnerability has been discovered in the popular open-source software HAProxy before version 2.7.3. This vulnerability, identified as CVE-2023-25725, allows an attacker to bypass access controls by exploiting a "request smuggling" technique. The issue affects HAProxy installations utilizing HTTP/1 headers, as they can be inadvertently lost in specific situations.

This post outlines the details of the vulnerability, its consequences, affected versions, and steps to mitigate the risk. Additionally, code snippets and links to original references are provided to help those wishing to dive deeper into the issue.

Vulnerability Overview

The HTTP header parsers in HAProxy may accept empty header field names, which could be used by an attacker to truncate the list of HTTP headers. Consequently, some headers may disappear after being parsed and processed for HTTP/1. and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited as the headers vanish before being parsed and processed, as if they had not been sent by the client.

The vulnerability can enable an attacker to bypassing security measures like access controls and launch subsequent attacks by exploiting techniques like "request smuggling."

Fixed: 2.7.3

To resolve the issue, users must upgrade to the version corresponding to their release series or newer.

Code Snippet: Exploit Example

The following example demonstrates how an attacker might attempt to exploit CVE-2023-25725 by sending a crafted request with an empty header field name:

POST / HTTP/1.1
Host: vulnerable-haproxy-instance.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
: exploit-via-empty-header
Connection: close

attack_payload... [100 bytes]

In this example, the "exploit-via-empty-header" header is used to truncate the list of headers, causing the "Connection: close" header to disappear. As a result, the request smuggling technique can be employed to bypass access controls and launch further attacks.

Original References and Additional Resources

- HAProxy Official Advisory
- CVE-2023-25725 on NIST National Vulnerability Database
- HAProxy GitHub Repository

In conclusion, CVE-2023-25725 is a significant security issue that has the potential to enable an attacker to bypass access controls on applications using vulnerable HAProxy versions. Administrators and developers should promptly upgrade to the fixed versions and evaluate their networks for any signs of exploitation.

Timeline

Published on: 02/14/2023 19:15:00 UTC
Last modified on: 02/25/2023 06:15:00 UTC