CVE-2019-19330
📋 TL;DR
This vulnerability in HAProxy's HTTP/2 implementation allows attackers to inject malicious headers containing special characters (CR, LF, NUL) that can bypass security controls. It affects HAProxy load balancers and reverse proxies, potentially enabling request smuggling, cache poisoning, or other intermediary attacks. Any organization using vulnerable HAProxy versions as HTTP/2 intermediaries is at risk.
💻 Affected Systems
- HAProxy
📦 What is this software?
Haproxy by Haproxy
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass security filters, poison caches, perform request smuggling to access internal systems, or execute arbitrary code on backend servers.
Likely Case
Request smuggling leading to cache poisoning, session hijacking, or bypassing security controls like WAFs and authentication mechanisms.
If Mitigated
Limited impact with proper network segmentation, but still potential for request manipulation and header injection.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP/2 requests. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.10 and later
Vendor Advisory: https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e
Restart Required: Yes
Instructions:
1. Download HAProxy 2.0.10 or later from haproxy.org. 2. Stop HAProxy service. 3. Install new version. 4. Restart HAProxy service. 5. Verify version with 'haproxy -v'.
🔧 Temporary Workarounds
Disable HTTP/2
allTemporarily disable HTTP/2 support to mitigate the vulnerability
Edit HAProxy configuration to remove 'alpn h2' and 'proto h2' directives
Remove 'ssl_fc_has_early' and 'ssl_fc_alpn' checks for HTTP/2
Filter malicious headers
allAdd header filtering rules to block CR, LF, and NUL characters
http-request deny if { req.hdr_cnt -m reg -i "[\r\n\x00]" }
http-response deny if { res.hdr_cnt -m reg -i "[\r\n\x00]" }
🧯 If You Can't Patch
- Implement strict header validation at the application layer
- Deploy WAF with HTTP/2 request inspection capabilities
🔍 How to Verify
Check if Vulnerable:
Check HAProxy version with 'haproxy -v'. If version is below 2.0.10 and HTTP/2 is enabled, the system is vulnerable.Check Version:
haproxy -v | head -1Verify Fix Applied:
Verify version is 2.0.10 or higher with 'haproxy -v'. Test HTTP/2 functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP/2 connection errors
- Malformed header warnings
- Requests with special characters in headers
Network Indicators:
- HTTP/2 requests containing CR, LF, or NUL characters in headers
- Abnormal HTTP/2 frame sequences
SIEM Query:
source="haproxy.log" AND ("malformed" OR "invalid" OR "\r" OR "\n" OR "\x00") AND "HTTP/2"🔗 References
- https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=ac198b92d461515551b95daae20954b3053ce87e
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=146f53ae7e97dbfe496d0445c2802dd0a30b0878
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=54f53ef7ce4102be596130b44c768d1818570344
- https://seclists.org/bugtraq/2019/Nov/45
- https://security.gentoo.org/glsa/202004-01
- https://tools.ietf.org/html/rfc7540#section-10.3
- https://usn.ubuntu.com/4212-1/
- https://www.debian.org/security/2019/dsa-4577
- https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=ac198b92d461515551b95daae20954b3053ce87e
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=146f53ae7e97dbfe496d0445c2802dd0a30b0878
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=54f53ef7ce4102be596130b44c768d1818570344
- https://seclists.org/bugtraq/2019/Nov/45
- https://security.gentoo.org/glsa/202004-01
- https://tools.ietf.org/html/rfc7540#section-10.3
- https://usn.ubuntu.com/4212-1/
- https://www.debian.org/security/2019/dsa-4577
