CVE-2021-39240
📋 TL;DR
HAProxy versions before 2.2.16, 2.3.13, and 2.4.3 have a URI validation vulnerability where the proxy fails to properly validate scheme and path characters in HTTP/2 requests. This allows attackers to potentially bypass routing rules and access unauthorized backend servers. Organizations using vulnerable HAProxy versions as HTTP/2 reverse proxies are affected.
💻 Affected Systems
- HAProxy
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass security controls and routing rules to access internal services, potentially leading to data exposure, privilege escalation, or lateral movement within the network.
Likely Case
Unauthorized access to backend services that should be restricted, potentially exposing sensitive applications or data to external attackers.
If Mitigated
With proper network segmentation and additional security controls, impact is limited to potential routing rule bypass without direct access to critical systems.
🎯 Exploit Status
Exploitation requires understanding of HTTP/2 protocol and HAProxy routing configurations. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.16, 2.3.13, 2.4.3
Vendor Advisory: https://git.haproxy.org/?p=haproxy.git;a=commit;h=4b8852c70d8c4b7e225e24eb58258a15eb54c26e
Restart Required: Yes
Instructions:
1. Download latest patched version from haproxy.org 2. Backup current configuration 3. Install new version 4. Restart HAProxy service
🔧 Temporary Workarounds
Disable HTTP/2
allTemporarily disable HTTP/2 support to mitigate the vulnerability
# Edit HAProxy config and remove 'alpn h2' from bind lines
# Remove 'proto h2' from server lines
Use HTTP/1.1 Only
allForce all connections to use HTTP/1.1 protocol
# Add 'option http-use-htx' and 'option force-http10' to frontend sections
🧯 If You Can't Patch
- Implement strict network segmentation to limit backend server exposure
- Add additional authentication/authorization layers before backend services
🔍 How to Verify
Check if Vulnerable:
Check HAProxy version with 'haproxy -v' and verify if using HTTP/2Check Version:
haproxy -v | grep 'version'Verify Fix Applied:
Verify version is 2.2.16+, 2.3.13+, or 2.4.3+ and test HTTP/2 routing functionality📡 Detection & Monitoring
Log Indicators:
- Unusual routing patterns
- HTTP/2 requests with malformed URIs
- Access to restricted backend services
Network Indicators:
- HTTP/2 traffic bypassing expected routing rules
- Unusual backend server access patterns
SIEM Query:
source="haproxy" AND (uri_contains("..") OR uri_contains("\\") OR status_code=403)🔗 References
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=4b8852c70d8c4b7e225e24eb58258a15eb54c26e
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=a495e0d94876c9d39763db319f609351907a31e8
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ALECUZDIMT5FYGP6V6PVSI4BKVZTZWN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPNY4WZIQUAUOCLIMUPC37AQWNXTWIQM/
- https://www.debian.org/security/2021/dsa-4960
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=4b8852c70d8c4b7e225e24eb58258a15eb54c26e
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=a495e0d94876c9d39763db319f609351907a31e8
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ALECUZDIMT5FYGP6V6PVSI4BKVZTZWN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPNY4WZIQUAUOCLIMUPC37AQWNXTWIQM/
- https://www.debian.org/security/2021/dsa-4960
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
