CVE-2020-11724 Overview
An HTTP Request Smuggling vulnerability was discovered in OpenResty before version 1.15.8.4. The vulnerability exists in ngx_http_lua_subrequest.c and can be exploited through the ngx.location.capture API, allowing attackers to bypass security controls and potentially gain unauthorized access to backend systems.
Critical Impact
HTTP Request Smuggling allows attackers to interfere with web application request processing, potentially bypassing security controls, accessing restricted resources, or poisoning web caches.
Affected Products
- OpenResty versions before 1.15.8.4
- Debian Linux 9.0
- Debian Linux 10.0
Discovery Timeline
- 2020-04-12 - CVE-2020-11724 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-11724
Vulnerability Analysis
This vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests), commonly known as HTTP Request Smuggling. The flaw originates in OpenResty's Lua Nginx module, specifically within the ngx_http_lua_subrequest.c file. The vulnerability occurs when the ngx.location.capture API improperly handles HTTP request headers, particularly the interaction between Content-Length and Transfer-Encoding: chunked headers.
HTTP Request Smuggling vulnerabilities arise when front-end and back-end servers disagree on where one request ends and another begins. In this case, the inconsistent handling of request boundaries in subrequests allows attackers to craft malicious requests that are interpreted differently by various components in the request processing chain.
Root Cause
The root cause lies in the improper handling of Content-Length and chunked transfer encoding in subrequests made via the ngx.location.capture API. When processing subrequests, the Lua module failed to properly sanitize or validate the relationship between these headers, creating an ambiguity in request boundary determination. The security patch addresses this by properly fixing the content length and chunked encoding handling in location captures.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to an OpenResty server that uses the ngx.location.capture API for subrequests. By manipulating the Content-Length and Transfer-Encoding headers, an attacker can cause the server to misinterpret request boundaries.
The exploitation technique involves sending a request with conflicting Content-Length and Transfer-Encoding: chunked headers. When the vulnerable OpenResty instance processes this request through the ngx.location.capture API, the ambiguity allows the attacker to smuggle a secondary request that may bypass security controls, access unauthorized resources, or poison cached responses.
For technical implementation details and the specific fix, refer to the GitHub Commit Update.
Detection Methods for CVE-2020-11724
Indicators of Compromise
- Unusual HTTP requests containing both Content-Length and Transfer-Encoding: chunked headers
- Unexpected access to restricted resources or backend endpoints
- Web cache anomalies or poisoned cache entries
- Log entries showing requests with malformed or conflicting header combinations
Detection Strategies
- Implement deep packet inspection to identify HTTP requests with conflicting Content-Length and Transfer-Encoding headers
- Monitor web server logs for requests targeting internal subrequest endpoints
- Deploy Web Application Firewalls (WAF) with HTTP Request Smuggling detection rules
- Use network intrusion detection systems (IDS) with signatures for HTTP desync attacks
Monitoring Recommendations
- Enable detailed logging for OpenResty Nginx modules, particularly subrequest operations
- Monitor for anomalous patterns in HTTP request sizes and timing
- Implement alerting for requests that fail header validation checks
- Review access logs for unauthorized access to internal endpoints typically reached via ngx.location.capture
How to Mitigate CVE-2020-11724
Immediate Actions Required
- Upgrade OpenResty to version 1.15.8.4 or later immediately
- Review and audit all Lua scripts using the ngx.location.capture API
- Implement strict HTTP header validation at the edge/load balancer level
- Consider deploying a WAF with HTTP Request Smuggling protection while planning the upgrade
Patch Information
OpenResty has released security patches to address this vulnerability. The fix is available in OpenResty version 1.15.8.4 and later. Organizations should apply the update as soon as possible.
- GitHub Commit Update - Direct fix for the lua-nginx-module
- GitHub Patch for Lua Module - Patch file for version 0.10.15
For Debian users:
Workarounds
- Implement strict header validation at reverse proxy or load balancer level to reject requests with conflicting Content-Length and Transfer-Encoding headers
- Normalize incoming requests at the edge before they reach OpenResty instances
- Temporarily disable or audit usage of ngx.location.capture API in critical applications until patches are applied
- Deploy network-level protections to detect and block HTTP request smuggling attempts
# Configuration example for Nginx to reject ambiguous requests
# Add to nginx.conf or server block
# Reject requests with both Content-Length and Transfer-Encoding
if ($http_transfer_encoding ~* "chunked" ) {
set $reject_request "chunked";
}
if ($http_content_length) {
set $reject_request "${reject_request}_contentlength";
}
if ($reject_request = "chunked_contentlength") {
return 400;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
