Security restrictions bypass in HAProxy

Published: 2019-05-11 | Updated: 2019-05-11
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2019-11323
CWE ID CWE-310
Exploitation vector Network
Public exploit N/A
Vulnerable software HAProxy Subscribe
Vendor HAProxy

Security Advisory

This security advisory describes one medium risk vulnerability.

1) Cryptographic issues

Severity: Medium

CVSSv3: 4.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-11323

CWE-ID: CWE-310 - Cryptographic Issues

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to incorrect reload with rotated keys, that results in usage of uninitialized, and very predictable, HMAC keys. A remote attacker can send a specially crafted request to the application and force it to use weak encryption. 

Mitigation

Install updates from vendor's website.

Vulnerable software versions

HAProxy: 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.1.19, 1.1.20, 1.1.21, 1.1.22, 1.1.23, 1.1.24, 1.1.25, 1.1.26, 1.1.27, 1.1.28, 1.1.29, 1.1.30, 1.1.31, 1.1.32, 1.1.33, 1.1.34, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.5.1, 1.2.5.2, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.10.1, 1.2.11, 1.2.11.1, 1.2.12, 1.2.13, 1.2.13.1, 1.2.14, 1.2.15, 1.2.16, 1.2.17, 1.2.18, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.4.1, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.8.1, 1.3.8.2, 1.3.9, 1.3.10, 1.3.10.1, 1.3.10.2, 1.3.11, 1.3.11.1, 1.3.11.2, 1.3.11.3, 1.3.11.4, 1.3.12, 1.3.12.1, 1.3.12.2, 1.3.12.3, 1.3.12.4, 1.3.13, 1.3.13.1, 1.3.13.2, 1.3.14, 1.3.14.1, 1.3.14.2, 1.3.14.3, 1.3.14.4, 1.3.14.5, 1.3.14.6, 1.3.14.7, 1.3.14.8, 1.3.14.9, 1.3.14.10, 1.3.14.11, 1.3.14.12, 1.3.14.13, 1.3.14.14, 1.3.15, 1.3.15.1, 1.3.15.2, 1.3.15.3, 1.3.15.4, 1.3.15.5, 1.3.15.6, 1.3.15.7, 1.3.15.8, 1.3.15.9, 1.3.15.10, 1.3.15.11, 1.3.15.12, 1.3.15.13, 1.3.15.14, 1.3.16, 1.3.17, 1.3.18, 1.3.19, 1.3.20, 1.3.21, 1.3.22, 1.3.23, 1.3.24, 1.3.25, 1.3.26, 1.3.27, 1.3.28, 1.3.28.1, 1.3.28.2, 1.3.28.3, 1.3.28.4, 1.3.28.5, 1.3.28.6, 1.3.28.7, 1.3.28.8, 1.3.28.9, 1.3.28.10, 1.3.28.11, 1.3.28.12, 1.3.28.13, 1.3.28.14, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.20, 1.4.21, 1.4.22, 1.4.23, 1.4.24, 1.4.25, 1.4.26, 1.4.27, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 1.5.18, 1.5.19, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.8.13, 1.8.14, 1.8.15, 1.8.16, 1.8.17, 1.8.18, 1.8.19, 1.8.20, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6

CPE External links

http://git.haproxy.org/?p=haproxy.git;a=commit;h=8ef706502aa2000531d36e4ac56dbdc7c30f718d
https://www.mail-archive.com/haproxy@formilux.org/msg33410.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.