Haproxy < v3.1-dev6 - Denial of Service (DoS) via Trigger of Infinite Loop in HTTP/2 Multiplexer (CVE-2024-45506)

Background & Context

HAProxy is a free and open source software that provides a high availability and high-performance load balancer and Proxy (forward proxy, reverse proxy) for TCP and HTTP-based applications that spreads requests across multiple servers. It is written in C and has a reputation for being fast and efficient (in terms of processor and memory usage). In testing, 64-core ARM servers were shown to reach 2 million requests per second and 100 Gbit/s throughput.

HAProxy Enterprise Edition is an enterprise-class version of HAProxy that includes enterprise suite of add-ons, expert support, and professional services. HAProxy Technologies also offer 'ALOHA', a plug-and-play load-balancing appliance built on HAProxy that provides a graphical interface and a templating system that can be used to deploy and configure the appliance.

Vulnerability Summary

HAProxy contains a high priority security vulnerability. The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

HAProxy can enter an endless loop in the h2_send() function if a processing error requiring a GOAWAY is reported with an almost full output buffer when no more progress can be made on the input buffer due to an incomplete frame while many streams are transmitting data in parallel in zero-copy mode. What happens in this case is that the output buffer is cleared (due to the error) while still leaving the full indication that prevents output data from being considered, and no condition to exit the loop is met. In this case the loop will be interrupted by the watchdog which will kill the process after two seconds.

Impact If Exploited

An infinite loop will cause unexpected consumption of resources, such as CPU cycles or memory. The software's operation may slow down, or cause a long time to respond. A remote attacker is able to trigger a Denial of Service (DoS) attack, rendering any HAProxy-screened services unavailable to legitimate customers. A DoS attack could disrupt the load balancing capabilities of critical services, potentially bringing down entire systems during high-traffic periods. For organizations depending on HAProxy for traffic distribution and high availability, even a temporary crash could result in significant financial and operational losses.

Threat Landscape & Known Exploitation

This vulnerability has not been reported by the CISA (America's Cyber Defense Agency) under its 'KEV' (known exploited vulnerabilities') catalogue process to be known to be currently actively exploited in the wild as of 2024-09-10, however the vendor themselves have confirmed that the vulnerability is currently being actively exploited.

As of time of writing, the vulnerability has an EPSS score of 0.86%, indicating a high risk of exploitation. As such, prioritisation should be given to remediation in any impacted environment.

Affected Product Versions

• HAProxy 2.9.x branch prior to release 2.9.10

• HAProxy 3.0.x branch prior to release 3.0.4, and

• HAProxy 3.1.x branch prior to release 3.1-dev6

• HAProxy Enterprise 2.9r1 prior to release hapee-2.9r1-lb 1.0.0-328.475

• HAProxy ALOHA 16.0 prior to release 16.0.4

• HAProxy Kubernetes Ingress Controller 3.0 prior to release 3.0.1

• HAProxy Kubernetes Ingress Controller 1.11 prior to release 1.11.6

• HAProxy Enterprise Kubernetes Ingress Controller 1.11 prior to release 1.11.6-ee7

• HAProxy Enterprise Kubernetes Ingress Controller 1.7 prior to release 1.7.12-ee12

NOTE: This flaw impacts all HAProxy-based products, including Enterprise, ALOHA, and Kubernetes Ingress Controllers.

Indicators of Compromise (IoC)

The vendor has not published a list of indicators of compromise (IoC) at the time of writing.

Official Fix & Remediation Guidance

Customers are advised to upgrade to the latest version of the impacted product. Updates to the product can be obtained via many operating systems' built-in package managers, or can be downloaded directly via the HAProxy download page found at https://www.haproxy.org/download/ or compiled from source code available at https://github.com/haproxytech/dataplaneapi/releases/latest.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

A temporary mitigation or work-around consists in disabling zero-copy forwarding for HTTP/2, by adding the directive "tune.h2.zero-copy-fwd-send off" to the global section of their HAProxy configuration.

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

Vendor Advisories

• https://www.mail-archive.com/haproxy%40formilux.org/msg45280.html

• https://www.haproxy.org/download/3.1/src/CHANGELOG

• https://www.haproxy.com/blog/cve-2024-45506

Third-Party Analysis & Threat Intelligence

• https://securityonline.info/haproxy-vulnerability-cve-2024-45506-under-active-exploit-urgent-patching-required/

PoC and Exploit Code

• TBC