CVE-2021-39242
📋 TL;DR
This vulnerability in HAProxy allows attackers to manipulate HTTP Host headers to bypass security controls or cause request processing errors. It affects HAProxy versions 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3 when handling mismatches between Host headers and authority components.
💻 Affected Systems
- HAProxy
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass security controls like ACLs or routing rules, potentially gaining unauthorized access to backend systems or causing denial of service.
Likely Case
Attackers manipulate request routing to access unintended backend services or bypass security restrictions.
If Mitigated
With proper patching and input validation, the vulnerability is eliminated with no residual risk.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.16, 2.3.13, 2.4.3 or later
Vendor Advisory: https://git.haproxy.org/?p=haproxy.git;a=commit;h=b5d2b9e154d78e4075db163826c5e0f6d31b2ab1
Restart Required: Yes
Instructions:
1. Download latest patched version from haproxy.org 2. Stop HAProxy service 3. Install updated version 4. Restart HAProxy service
🔧 Temporary Workarounds
Input Validation Filter
allAdd ACL rules to validate Host headers match expected patterns
# Example ACL in haproxy.cfg:
# acl valid_host hdr(host) -i example.com
# http-request deny if !valid_host
🧯 If You Can't Patch
- Implement strict input validation for Host headers using HAProxy ACLs
- Deploy WAF or reverse proxy in front of HAProxy to filter malicious requests
🔍 How to Verify
Check if Vulnerable:
Check HAProxy version with 'haproxy -v' and compare against affected versionsCheck Version:
haproxy -v | grep versionVerify Fix Applied:
Verify version is 2.2.16+, 2.3.13+, or 2.4.3+ and test with crafted requests containing mismatched Host headers📡 Detection & Monitoring
Log Indicators:
- Unusual Host header values
- Requests with mismatched Host and authority components
- ACL denials for Host header validation
Network Indicators:
- HTTP requests with manipulated Host headers
- Unexpected routing patterns to backend services
SIEM Query:
source="haproxy" AND ("Host:" OR "host:") AND NOT expected_domain🔗 References
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=b5d2b9e154d78e4075db163826c5e0f6d31b2ab1
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ALECUZDIMT5FYGP6V6PVSI4BKVZTZWN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPNY4WZIQUAUOCLIMUPC37AQWNXTWIQM/
- https://www.debian.org/security/2021/dsa-4960
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=b5d2b9e154d78e4075db163826c5e0f6d31b2ab1
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ALECUZDIMT5FYGP6V6PVSI4BKVZTZWN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPNY4WZIQUAUOCLIMUPC37AQWNXTWIQM/
- https://www.debian.org/security/2021/dsa-4960
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
