CVE-2018-21245 – CVE-2018-21245 is an HTTP request smuggling vul... (How to Fix)

Q: What is the severity of CVE-2018-21245?

CVE-2018-21245 has a CVSS score of 9.1 (CRITICAL). CVE-2018-21245 is an HTTP request smuggling vulnerability in Pound reverse proxy/load balancer versions before 2.8. This allows attackers to bypass security controls, poison caches, and potentially hijack user sessions. Organizations using Pound as a front-end proxy are affected.

📋 TL;DR

CVE-2018-21245 is an HTTP request smuggling vulnerability in Pound reverse proxy/load balancer versions before 2.8. This allows attackers to bypass security controls, poison caches, and potentially hijack user sessions. Organizations using Pound as a front-end proxy are affected.

💻 Affected Systems

Products:

Pound

Versions: All versions before 2.8

Operating Systems: All operating systems running Pound

Default Config Vulnerable: ⚠️ Yes

Notes: All Pound deployments with default configurations are vulnerable. The vulnerability is in the HTTP request parsing logic.

📦 What is this software?

Pound by Apsis

View all CVEs affecting Pound →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could poison proxy caches, bypass authentication, hijack user sessions, and perform cross-site scripting attacks against users behind the proxy.

🟠

Likely Case

Cache poisoning leading to users receiving malicious content, authentication bypass for protected resources, and session hijacking.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and monitoring are in place to detect anomalous HTTP traffic patterns.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

HTTP request smuggling techniques are well-documented and can be adapted for this vulnerability. Exploitation requires sending specially crafted HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8 and later

Vendor Advisory: https://admin.hostpoint.ch/pipermail/pound_apsis.ch/2018-May/000054.html

Restart Required: Yes

Instructions:

1. Download Pound 2.8 or later from the official website. 2. Stop the Pound service. 3. Install the new version. 4. Restart the Pound service. 5. Verify the version is 2.8 or higher.

🔧 Temporary Workarounds

Use alternative reverse proxy

all

Replace Pound with a different reverse proxy/load balancer that is not vulnerable to HTTP request smuggling.

Implement WAF rules

all

Configure Web Application Firewall rules to detect and block HTTP request smuggling attempts.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Pound instances from untrusted networks
Deploy intrusion detection systems to monitor for HTTP request smuggling patterns

🔍 How to Verify

Check if Vulnerable:

Check Pound version using 'pound -V' or 'pound -v'. If version is below 2.8, the system is vulnerable.

Check Version:

pound -V

Verify Fix Applied:

After patching, run 'pound -V' or 'pound -v' and confirm version is 2.8 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP request patterns
Multiple requests with same connection
Malformed HTTP headers in logs

Network Indicators:

HTTP requests with conflicting Content-Length and Transfer-Encoding headers
Requests that appear to contain multiple HTTP messages

SIEM Query:

source="pound.log" AND ("Transfer-Encoding" AND "Content-Length") OR "malformed request"

📊 Metadata

CVE ID: CVE-2018-21245

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-444

Published: June 15, 2020

Last Updated: November 21, 2024

🔗 References

https://admin.hostpoint.ch/pipermail/pound_apsis.ch/2018-May/000054.html Third Party Advisory
https://bugs.gentoo.org/714084
https://admin.hostpoint.ch/pipermail/pound_apsis.ch/2018-May/000054.html Third Party Advisory
https://bugs.gentoo.org/714084

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-21245, you might also want to check these: