Bug 1189366 (CVE-2021-39241) - VUL-0: CVE-2021-39241: haproxy: Spaces in the ":method" field
Summary: VUL-0: CVE-2021-39241: haproxy: Spaces in the ":method" field
Status: RESOLVED FIXED
Alias: CVE-2021-39241
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Normal
Target Milestone: ---
Assignee: Shapbot Shapbotson
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/306924/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-39241:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-12 05:55 UTC by Robert Frohl
Modified: 2024-05-23 10:10 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 11 Swamp Workflow Management 2021-08-17 19:33:46 UTC 
SUSE-SU-2021:2768-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1189366
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP1 (src):    haproxy-2.0.14-8.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-08-17 19:36:23 UTC 
SUSE-SU-2021:2769-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1189366
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise High Availability 15 (src):    haproxy-2.0.14-3.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Robert Frohl 2021-08-18 06:28:55 UTC 
Narrowing the scope of the bug to the issue that affects SLE:

1) CVE-2021-39241: Spaces in the ":method" field

The first problem is based on the ":method" field. By passing a space in
the method, it is possible to build an invalid HTTP/1 request on the
backend side, which some lenient servers might possibly interpret as valid,
resulting in a different request between the one seen by haproxy and by the
server. This might be abused to circumvent some switching rules for example,
and get a request to be routed to a wrong server. Example:

   H2 request
     :method: "GET /admin? HTTP/1.1"
     :path:   "/static/images"

HAProxy would route all "/static" requests to the static server farm,
but once the request is reassembled it would become this:

   GET /admin? HTTP/1.1 /static/images HTTP/1.1

This is not valid but if a server fails to properly validate this input,
it might be fooled into thinking this is a request for /admin.

Please note that HTTP/2 backend servers are not affect as the request is
sent as a new ":method" field there. Additionally, dangerous characters
like CR, LF or NUL are always blocked on input so is is not possible to
perform a request smuggling attack, and the risks are limited to HTTP/1
servers which fail to properly parse the request line (note that all
major server implementations are safe against this).

A workaround for this issue for those having to rely on possibly unsafe
servers is to reject invalid characters in the method by placing such a
filtering rule on the request path either in the frontend or the backend:

   http-request reject if { method -m reg [^A-Z0-9] }

A second workaround that may only be used on version 2.0 consists in
disabling the HTX internal representation in the affected backends and
the frontends that route to them:

   no option http-use-htx

This will have for effect to transform the HTTP/2 requests to HTTP/1 that
will then be submitted to the internal HTTP/1 parser which will reject
the poorly formatted request. This older representation called "legacy"
is not available any more in version 2.1 and above, and is not compatible
with HTTP/2 nor FastCGI backend servers.

This issue affects all versions from 2.0 and above, in HTX mode, with
HTTP/1 on the server side.


References:

https://nvd.nist.gov/vuln/detail/CVE-2021-39241
https://www.mail-archive.com/haproxy@formilux.org/msg41041.html
Comment 14 Swamp Workflow Management 2021-08-18 19:16:57 UTC 
SUSE-SU-2021:2773-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1189366
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP3 (src):    haproxy-2.0.14-11.7.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    haproxy-2.0.14-11.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-08-18 19:18:03 UTC 
openSUSE-SU-2021:2773-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1189366
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    haproxy-2.0.14-11.7.1
Comment 16 Swamp Workflow Management 2021-08-19 19:17:48 UTC 
openSUSE-SU-2021:1167-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1189366
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    haproxy-2.0.14-lp152.2.3.1
Comment 17 Alexander Bergmann 2024-05-23 10:10:35 UTC 
All released. Closing bug.