CVE-2024-45614: Puma Web Server Issue with Proxy Header Clobbering

Puma is a high-performance Ruby/Rack web server which has been designed with parallelism in mind, enabling it to efficiently handle multiple incoming requests and provide optimum performance. However, recently a security issue has surfaced, identified as CVE-2024-45614, which affects the web server's handling of specific proxy headers. As a result, clients can potentially overwrite values set by intermediate proxies.

This long read post will provide you with details about this security flaw, the code snippet showcasing the issue, links to the original references, and insights into the exploit along with recommended solutions.

The Issue

In the Puma web server's affected versions, clients can clobber values set by intermediate proxies (such as X-Forwarded-For) by providing an underscore version of the same header (e.g., X-Forwarded_For). This issue affects any user who relies on proxy-set variables for their applications.

To fix this problem, Puma has released new versions v6.4.3 and v5.6.9, which discard any headers using underscores if the non-underscore version also exists. As a result, the proxy-defined headers will always take precedence, thus preventing any potential tampering by clients.

Suppose a client sends an HTTP request with the following headers

X-Forwarded-For: 123.123.123.123
X-Forwarded_For: 234.234.234.234

In affected versions of Puma, the web server would consider the X-Forwarded_For header and ignore the X-Forwarded-For header set by the intermediate proxy.

After the update to versions v6.4.3 and v5.6.9, Puma web server will handle the headers correctly, giving priority to the X-Forwarded-For header as intended.

Mitigation

As a workaround, for users of the Nginx proxy server, the underscores_in_headers configuration variable can be set to discard headers containing underscores at the proxy level.

http {
    underscores_in_headers off;
}

However, it is strongly advised to upgrade to the fixed versions, v6.4.3 or v5.6.9, of the Puma web server to ensure complete protection against this issue.

Conclusion

Users who implicitly trust proxy-defined headers for security purposes should immediately cease doing so until they have upgraded to the fixed versions of the Puma web server. The vulnerability, CVE-2024-45614, allows clients to overwrite values set by intermediate proxies, which could lead to potential security risks.

To protect your application, it is strongly advised to upgrade the Puma web server to v6.4.3 or v5.6.9 and apply any necessary proxy-level mitigations if needed. By doing so, you will ensure the security and integrity of your web applications.

References

1. Puma GitHub Repository - Security Advisory and Changelog
2. CVE-2024-45614: National Vulnerability Database (NVD) Entry
3. Nginx Configuration Guide: underscores_in_headers

Timeline

Published on: 09/19/2024 23:15:11 UTC
Last modified on: 09/26/2024 13:28:30 UTC