Bug 2169089 (CVE-2023-25725)

Summary: CVE-2023-25725 haproxy: request smuggling attack in HTTP/1 header parsing
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alisci, amctagga, andeshmu, aoconnor, askrabec, bniver, dfreiber, flucifre, gmeno, hhorak, jburrell, jjung, jorton, mbenjamin, mhackett, msalle, redhat-bugzilla, rogbas, rohara, security-response-team, sostapov, torben, vereddy, vkumar, zmiele
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: HAProxy 2.0.31, HAProxy 2.2.29, HAProxy 2.4.22, HAProxy 2.5.12, HAProxy 2.6.9, HAProxy 2.7.3, HAProxy 2.8-dev4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in HAProxy's headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-18 06:44:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2169509, 2169510, 2169511, 2169532, 2169533, 2169534, 2169535, 2169823, 2170060, 2172591, 2172592, 2174174, 2174175    
Bug Blocks: 2169088    

Description Nick Tait 2023-02-11 17:47:59 UTC 
I will attach the patch to this flaw, but there may be an even newer patch available from the reporter (Willy Tarreau).

Summary from the initial report:
There is a serious bug in haproxy's HTTP/1 header parser which unfortunately accepts an empty header name ... The impact is that some mandatory headers could be dropped after their presence was confirmed ... resulting in a request smuggling attack. Also this empty header could be used
to make a transfer-encoding or content-length disappear while the internal parser still thinks it's there since it was seen ... I guess some (attackers) might be creative enough to exploit it ...

The fix ... applies well as far as v2.0 ...

I would like to propose an early coordinated release date ... 
Tuesday 14th 7pm CET ... 
it shouldn't take long to some attackers to figure how to exploit this to bypass some URL checks
Comment 10 Zack Miele 2023-02-14 17:16:02 UTC 
Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 2169823]
Comment 11 Zack Miele 2023-02-15 14:47:17 UTC 
Created haproxy18 tracking bugs for this issue:

Affects: epel-all [bug 2170060]
Comment 19 Torben Hørup 2023-03-07 17:53:09 UTC 
When can we expect you to release a patched version. Today it's 3 weeks since CVE-2023-25725  was published
Comment 21 errata-xmlrpc 2023-03-21 11:48:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:1268 https://access.redhat.com/errata/RHSA-2023:1268
Comment 22 errata-xmlrpc 2023-04-11 14:24:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1696 https://access.redhat.com/errata/RHSA-2023:1696
Comment 26 errata-xmlrpc 2023-04-25 10:24:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1978 https://access.redhat.com/errata/RHSA-2023:1978
Comment 27 errata-xmlrpc 2023-05-17 22:53:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1325 https://access.redhat.com/errata/RHSA-2023:1325
Comment 28 Product Security DevOps Team 2023-05-18 06:44:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-25725
Comment 29 Zack Miele 2023-05-25 22:23:47 UTC 
Increasing this impact to Important after reconsideration. While the difficulty of creating an effective attack on sites behind HAProxy is largely dependent on the site's architecture, the difficulty to affect the Integrity of specially crafted data passed through HAProxy itself is low.
Comment 30 Robert Scheck 2023-06-18 11:50:43 UTC 
Why do you consider RHEL 8 at https://access.redhat.com/security/cve/cve-2023-25725 to be "not affected"? As per https://security-tracker.debian.org/tracker/CVE-2023-25725, Debian backported the fix for this vulnerability to HAProxy 1.8 (included in 1.8.19-1+deb10u4).

> The fix ... applies well as far as v2.0 ...

If this is the cause, then I would like to remind that HAProxy 1.8 reached its end-of-life in Q4/2022 at upstream, see https://www.haproxy.org/. From my understanding upstream does not evaluate the applicability of security flaws for unmaintained HAProxy releases (this one was raised in Q1/2023).
Comment 31 Robert Scheck 2023-06-18 19:51:34 UTC 
See also: https://www.mail-archive.com/haproxy@formilux.org/msg43229.html

> The problem affects all versions at different degrees: […] non-HTX versions (1.9 and before, or 2.0 in legacy mode) will not drop the theader, but will nonetheless pass the faulty request as-is to a server. This means that, while such versions will not be abused to attack a server, if placed at the edge they are not sufficient to protect an internal HAProxy instance either.
Comment 32 errata-xmlrpc 2024-02-08 16:58:10 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.3

Via RHSA-2024:0746 https://access.redhat.com/errata/RHSA-2024:0746