CVE-2021-40346
📋 TL;DR
CVE-2021-40346 is an integer overflow vulnerability in HAProxy's HTTP header processing that enables HTTP request smuggling attacks. This allows attackers to bypass HAProxy's security ACLs (access control lists) and potentially smuggle malicious requests to backend servers. Organizations using HAProxy 2.0 through 2.5 as a reverse proxy or load balancer are affected.
💻 Affected Systems
- HAProxy
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
Haproxy by Haproxy
⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass all HAProxy security controls, smuggle malicious HTTP requests to backend servers, potentially leading to data theft, privilege escalation, or backend compromise.
Likely Case
HTTP request smuggling that bypasses HAProxy ACLs, allowing unauthorized access to protected resources or manipulation of backend application behavior.
If Mitigated
Limited impact if backend applications have their own robust security controls and input validation, though HAProxy's security layer is compromised.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests; public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.24, 2.2.17, 2.3.14, 2.4.4, 2.5.0
Vendor Advisory: https://git.haproxy.org/?p=haproxy.git
Restart Required: Yes
Instructions:
1. Download patched version from haproxy.org. 2. Stop HAProxy service. 3. Install new version. 4. Restart HAProxy service. 5. Verify version and functionality.
🔧 Temporary Workarounds
Disable HTX mode
allSwitch from HTX to legacy HTTP mode which is not affected by this vulnerability
Add 'no option http-use-htx' to global section of haproxy.cfg
🧯 If You Can't Patch
- Implement WAF (Web Application Firewall) in front of HAProxy to detect and block HTTP smuggling attempts
- Strengthen backend application security controls and input validation to mitigate impact of smuggled requests
🔍 How to Verify
Check if Vulnerable:
Check HAProxy version: if between 2.0 and 2.5 inclusive, and not patched to fixed versions, system is vulnerable.Check Version:
haproxy -vVerify Fix Applied:
Verify HAProxy version matches patched versions (2.0.24, 2.2.17, 2.3.14, 2.4.4, or 2.5.0+) and test HTTP request processing.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP request patterns, malformed headers, ACL bypass attempts in HAProxy logs
Network Indicators:
- HTTP requests with abnormal header sizes or structures that could trigger integer overflow
SIEM Query:
Search for HAProxy logs containing 'htx_add_header' errors or abnormal HTTP status codes from backend mismatches🔗 References
- https://git.haproxy.org/?p=haproxy.git
- https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95
- https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/
- https://lists.apache.org/thread.html/r284567dd7523f5823e2ce995f787ccd37b1cc4108779c50a97c79120%40%3Cdev.cloudstack.apache.org%3E
- https://lists.apache.org/thread.html/r8a58fd7a29808e5d27ee56877745e58dc4bb041b9af94601554e2a5a%40%3Cdev.cloudstack.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7V2IYO22LWVBGUNZWVKNTMDV4KINLFO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXTSBY2TEAXWZVFQM3CXHJFRONX7PEMN/
- https://www.debian.org/security/2021/dsa-4968
- https://www.mail-archive.com/haproxy%40formilux.org
- https://www.mail-archive.com/haproxy%40formilux.org/msg41114.html
- https://git.haproxy.org/?p=haproxy.git
- https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95
- https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/
- https://lists.apache.org/thread.html/r284567dd7523f5823e2ce995f787ccd37b1cc4108779c50a97c79120%40%3Cdev.cloudstack.apache.org%3E
- https://lists.apache.org/thread.html/r8a58fd7a29808e5d27ee56877745e58dc4bb041b9af94601554e2a5a%40%3Cdev.cloudstack.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7V2IYO22LWVBGUNZWVKNTMDV4KINLFO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXTSBY2TEAXWZVFQM3CXHJFRONX7PEMN/
- https://www.debian.org/security/2021/dsa-4968
- https://www.mail-archive.com/haproxy%40formilux.org
- https://www.mail-archive.com/haproxy%40formilux.org/msg41114.html
