CVE-2020-11100 Overview
A critical heap-based out-of-bounds write vulnerability exists in the HPACK decoder component of HAProxy, specifically within the hpack_dht_insert function in hpack-tbl.c. This vulnerability affects HAProxy versions 1.8 through 2.x before 2.1.4. A remote attacker can exploit this flaw by sending a specially crafted HTTP/2 request, allowing them to write arbitrary bytes around a certain location on the heap. Successful exploitation could lead to remote code execution, granting attackers complete control over the affected load balancer or reverse proxy server.
Critical Impact
Remote attackers can achieve arbitrary code execution on HAProxy servers by exploiting the HPACK decoder flaw via malicious HTTP/2 requests, potentially compromising all traffic routed through the affected proxy.
Affected Products
- HAProxy versions 1.8.x through 2.0.x
- HAProxy versions 2.1.x before 2.1.4
- Debian Linux 10.0
- Red Hat OpenShift Container Platform 3.11 and 4.0
- Fedora 30 and 31
- Ubuntu Linux 18.04 LTS and 19.10
- openSUSE Leap 15.1
Discovery Timeline
- April 2, 2020 - CVE-2020-11100 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-11100
Vulnerability Analysis
The vulnerability resides in HAProxy's implementation of HPACK, the header compression algorithm used in HTTP/2. HPACK maintains a dynamic table for storing recently used header fields to improve compression efficiency. The vulnerable function hpack_dht_insert in hpack-tbl.c is responsible for inserting new entries into this dynamic header table.
When processing HTTP/2 requests, the HPACK decoder fails to properly validate boundaries during table insertion operations. This oversight allows an authenticated remote attacker to manipulate the heap memory layout by sending crafted HTTP/2 requests containing malicious HPACK-encoded headers. The attacker can write arbitrary bytes to heap locations adjacent to the dynamic table structure, corrupting adjacent heap metadata or application data.
The vulnerability is particularly dangerous because HAProxy often operates as a front-end load balancer or reverse proxy, sitting at a critical position in network infrastructure. Compromising HAProxy could allow attackers to intercept, modify, or redirect all traffic passing through the proxy, affecting numerous downstream services and users.
Root Cause
The root cause of CVE-2020-11100 is an out-of-bounds write vulnerability (CWE-787) in the HPACK dynamic header table implementation. The hpack_dht_insert function does not properly validate the size and boundaries when inserting entries into the dynamic table. When an attacker provides specially crafted header values that exceed expected boundaries, the function writes data beyond the allocated heap buffer.
The flaw stems from insufficient bounds checking in the table management code, where the calculated write offset can exceed the allocated buffer size. This allows controlled memory corruption, which attackers can leverage to overwrite heap metadata, function pointers, or other critical data structures.
Attack Vector
The attack is network-accessible and requires low-privilege authenticated access to the HAProxy server. The attacker must be able to send HTTP/2 requests to the vulnerable HAProxy instance. The attack sequence involves:
- Establishing an HTTP/2 connection to the target HAProxy server
- Sending crafted HTTP/2 requests with malicious HPACK-encoded headers
- Triggering the out-of-bounds write in hpack_dht_insert
- Corrupting heap memory to achieve code execution or cause denial of service
The vulnerability requires no user interaction and can be exploited remotely over the network. Given that HAProxy is typically exposed to the internet as a front-end proxy, the attack surface is significant.
The malicious HTTP/2 request triggers improper memory operations in the HPACK decoder. The attacker crafts header field entries that cause the hpack_dht_insert function to write beyond allocated boundaries. For detailed technical analysis, refer to the Packet Storm security advisory and the HAProxy git commit #5dfc5d5 that addresses this issue.
Detection Methods for CVE-2020-11100
Indicators of Compromise
- Unexpected HAProxy process crashes or restarts, particularly when processing HTTP/2 traffic
- Anomalous HTTP/2 requests with unusually large or malformed HPACK-encoded headers in access logs
- Memory corruption indicators such as segmentation faults in HAProxy error logs
- Unusual outbound network connections from the HAProxy server indicating potential post-exploitation activity
Detection Strategies
- Monitor HAProxy logs for HTTP/2 connection anomalies and unexpected protocol errors
- Implement network intrusion detection rules to identify malformed HTTP/2 frames with suspicious HPACK payloads
- Deploy endpoint detection and response (EDR) solutions to detect heap corruption and anomalous process behavior
- Configure web application firewalls to inspect and validate HTTP/2 traffic before reaching HAProxy
Monitoring Recommendations
- Enable detailed logging for HTTP/2 connections in HAProxy configuration
- Set up alerting for HAProxy service interruptions or unexpected restarts
- Monitor system memory usage patterns for anomalies that could indicate heap corruption attempts
- Implement centralized log collection to correlate suspicious HTTP/2 traffic patterns across multiple HAProxy instances
How to Mitigate CVE-2020-11100
Immediate Actions Required
- Upgrade HAProxy to version 2.1.4 or later immediately on all affected systems
- If immediate patching is not possible, consider temporarily disabling HTTP/2 support until patches can be applied
- Review firewall rules to restrict access to HAProxy management interfaces
- Audit HAProxy configurations across your infrastructure to identify all vulnerable instances
Patch Information
HAProxy has released version 2.1.4 which addresses this vulnerability. The fix is documented in the HAProxy Changelog and implemented in commit 5dfc5d5. Major Linux distributions have also released security updates:
- Debian: DSA-4649
- Ubuntu: USN-4321-1
- Red Hat: Bug #1819111
- openSUSE: Security Announcement
- Gentoo: GLSA 202012-22
Workarounds
- Disable HTTP/2 support by removing alpn h2 and npn h2 from HAProxy bind directives as a temporary mitigation
- Place a web application firewall or additional reverse proxy in front of HAProxy to filter malicious HTTP/2 requests
- Implement network segmentation to limit exposure of HAProxy instances to untrusted networks
- Consider using HTTP/1.1 only mode until patches can be applied to production systems
# Temporary workaround: Disable HTTP/2 in HAProxy configuration
# Edit haproxy.cfg and modify bind lines
# Before (vulnerable):
# bind *:443 ssl crt /etc/ssl/cert.pem alpn h2,http/1.1
# After (HTTP/2 disabled):
# bind *:443 ssl crt /etc/ssl/cert.pem alpn http/1.1
# Restart HAProxy after configuration change
sudo systemctl restart haproxy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
