www.belgium.be Logo of the federal government

WARNING: LOOP WITH UNREACHABLE EXIT CONDITION IN HAPROXY CAN BE EXPLOITED TO ACHIEVE REMOTE DENIAL OF SERVICE. ACTIVE EXPLOITATION, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-217
Version: 
1.0
Affected software: 
HAProxy versions 2.9.x before 2.9.10
HAProxy 3.0.x before 3.0.4
HAProxy 3.1.x through 3.1-dev6
Type: 
Loop with Unreachable Exit Condition, remote denial of service
CVE/CVSS: 

CVE-2024-45506 / CVSS 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

HAProxy: https://www.haproxy.com/blog/cve-2024-45506

HAProxy: https://www.mail-archive.com/haproxy%40formilux.org/msg45281.html

Risks

This vulnerability allows remote attackers to cause a denial of service condition in affected HAProxy installations.

This could lead to service disruptions, potentially impacting the availability of web services, load balancing, and other critical network functions that rely on HAProxy.

Description

An endless loop is possible in HTTP/2 multiplexer when combined with zero-copy forwarding system in HAProxy, HAProxy Enterprise (including public and private cloud images).

The issue in the HTTP/2 multiplexer allows remote attackers to trigger, under very rare conditions, an endless loop in HAProxy which can result in a crash.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Patches are available. Users should upgrade to:
•    HAProxy version 2.9.10 or later for the 2.9.x series
•    HAProxy version 3.0.4 or later for the 3.0.x series.
If you are not able to update right away, you can disable the zero-copy forwarding system to mitigate the issue. Workaround details are available via the link in our sources section.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

 

References

SecurityOnline: https://securityonline.info/haproxy-vulnerability-cve-2024-45506-under-active-exploit-urgent-patching-required/

Tenable: https://www.tenable.com/cve/CVE-2024-45506