CVE-2021-40346 Overview
An integer overflow vulnerability exists in HAProxy versions 2.0 through 2.5 within the htx_add_header function. This flaw can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and potentially other access controls. The vulnerability affects the HTX (HTTP/2 to HTTP/1.x translation) layer, which is responsible for handling HTTP header processing.
Critical Impact
Attackers can bypass all configured HAProxy ACLs and security controls through HTTP request smuggling, potentially gaining unauthorized access to protected backend resources.
Affected Products
- HAProxy versions 2.0 through 2.5 (including 2.5 dev0-dev6)
- Debian Linux 11.0
- Fedora 33 and 34
Discovery Timeline
- September 8, 2021 - CVE-2021-40346 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-40346
Vulnerability Analysis
The vulnerability resides in the htx_add_header() function within HAProxy's HTX subsystem. The HTX layer handles HTTP message representation and transformation, particularly important for HTTP/2 to HTTP/1.x translation. The function failed to properly validate the length of header names and values before processing them.
When processing HTTP headers, the function did not verify that header name lengths were within the expected 255-byte limit or that header values were within the 1MB limit. This missing validation allows attackers to craft specially formed HTTP requests with oversized headers that trigger an integer overflow condition. By exploiting this overflow, an attacker can manipulate how HAProxy parses HTTP requests, leading to request smuggling scenarios where the attacker's malicious request is interpreted differently by HAProxy and the backend server.
Root Cause
The root cause is a missing length check in the htx_add_header() function (CWE-190: Integer Overflow). The original code contained a FIXME comment acknowledging that validation for name.len (should be < 256 bytes) and value.len (should be < 1MB) was needed but not implemented. Without these boundary checks, specially crafted header values could cause integer overflow during memory allocation calculations, corrupting the internal HTX block structure.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends crafted HTTP requests with manipulated header lengths to a HAProxy instance. The integer overflow in header processing causes desynchronization between HAProxy's interpretation of request boundaries and the backend server's interpretation. This allows attackers to:
- Inject malicious requests that bypass HAProxy's ACL rules
- Access restricted backend endpoints
- Potentially poison caches or hijack other users' sessions
// Security patch in include/haproxy/htx.h
// BUG/MAJOR: htx: fix missing header name length check in htx_add_header/trailer
{
struct htx_blk *blk;
- /* FIXME: check name.len (< 256B) and value.len (< 1MB) */
+ if (name.len > 255 || value.len > 1048575)
+ return NULL;
+
blk = htx_add_blk(htx, HTX_BLK_HDR, name.len + value.len);
if (!blk)
return NULL;
Source: GitHub Commit
Detection Methods for CVE-2021-40346
Indicators of Compromise
- Unusually large HTTP header values (exceeding 255 bytes for names or 1MB for values) in incoming requests
- HTTP requests with multiple Content-Length headers or conflicting Content-Length and Transfer-Encoding headers
- Backend server logs showing requests that don't appear in HAProxy access logs
- Unexpected access to restricted endpoints that should be blocked by ACLs
Detection Strategies
- Monitor HAProxy access logs for anomalous request patterns, particularly requests with unusual header sizes
- Implement IDS/IPS rules to detect HTTP request smuggling patterns such as CL.TE or TE.CL desync attacks
- Deploy web application firewall (WAF) rules to block requests with oversized headers
- Compare HAProxy logs against backend server logs to identify discrepancies indicating successful smuggling attempts
Monitoring Recommendations
- Enable verbose HAProxy logging with header information capture for forensic analysis
- Set up alerts for requests attempting to access ACL-protected resources from unexpected sources
- Monitor for increased 400-series errors that may indicate smuggling attempts being blocked
- Implement network traffic analysis to detect malformed HTTP requests targeting HAProxy instances
How to Mitigate CVE-2021-40346
Immediate Actions Required
- Upgrade HAProxy to a patched version immediately (2.0.25, 2.2.17, 2.3.14, 2.4.4, or later)
- Audit HAProxy ACL configurations to identify critical access controls that may have been bypassed
- Review backend server logs for evidence of unauthorized access during the exposure window
- Consider implementing additional network segmentation to limit blast radius if exploitation occurred
Patch Information
HAProxy has released security patches addressing this vulnerability. The fix adds explicit length validation checks for header names (255 bytes maximum) and header values (1,048,575 bytes maximum) in the htx_add_header() and htx_add_trailer() functions. Apply the relevant patch for your HAProxy version:
Workarounds
- If immediate patching is not possible, implement strict request size limits at the network perimeter using firewall rules or upstream proxies
- Configure an upstream reverse proxy or WAF to reject requests with header names exceeding 255 bytes or header values exceeding 1MB
- Temporarily disable HTX mode if operationally feasible by setting option http-use-htx off (note: this may impact HTTP/2 functionality)
- Monitor all traffic to protected endpoints with enhanced logging until patching is complete
# Verify your HAProxy version
haproxy -v
# Example: Check if running a vulnerable version (2.0-2.5)
# Upgrade using your package manager
# For Debian/Ubuntu:
sudo apt update && sudo apt upgrade haproxy
# For RHEL/CentOS/Fedora:
sudo dnf update haproxy
# Restart HAProxy after upgrade
sudo systemctl restart haproxy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
