In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.
Recent assessments:
3dcyber at April 23, 2020 1:18pm UTC reported:
This vulnerability affects HAProxy and does not require prior authentication as indicated by the CVSS score. Hopefully there is an update to the CVSS.
This vulnerability allows RCE when HTTP2 is enabled on HAProxy. There is a PoC exploit created by the researcher who discovered the vulnerability.
Note that in some solutions HTTP2 on HAProxy may be enabled by default.
To defend against this vulnerability:
HAproxy patches can be applied.
As workaroud you can disable HTTP2.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 4
lists.opensuse.org/opensuse-security-announce/2020-04/msg00002.html
packetstormsecurity.com/files/157323/haproxy-hpack-tbl.c-Out-Of-Bounds-Write.html
www.haproxy.org
bugzilla.redhat.com/show_bug.cgi?id=1819111
bugzilla.suse.com/show_bug.cgi?id=1168023
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11100
git.haproxy.org/?p=haproxy.git;a=commit;h=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88
git.haproxy.org?p=haproxy.git;a=commit;h=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88
lists.debian.org/debian-security-announce/2020/msg00052.html
lists.fedoraproject.org/archives/list/[email protected]/message/264C7UL3X7L7QE74ZJ557IOUFS3J4QQC
lists.fedoraproject.org/archives/list/[email protected]/message/264C7UL3X7L7QE74ZJ557IOUFS3J4QQC/
lists.fedoraproject.org/archives/list/[email protected]/message/MNW5RZLIX7LOXRLV7WMHX22CI43XSXKW
lists.fedoraproject.org/archives/list/[email protected]/message/MNW5RZLIX7LOXRLV7WMHX22CI43XSXKW/
security.gentoo.org/glsa/202012-22
usn.ubuntu.com/4321-1
usn.ubuntu.com/4321-1/
www.debian.org/security/2020/dsa-4649
www.haproxy.org/download/2.1/src/CHANGELOG
www.mail-archive.com/[email protected]/msg36876.html