Cryptographic issues in HAProxy

#VU18432 Cryptographic issues in HAProxy

Published: 2019-05-11

Vulnerability identifier: #VU18432

Vulnerability risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11323

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HAProxy
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: HAProxy

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to incorrect reload with rotated keys, that results in usage of uninitialized, and very predictable, HMAC keys. A remote attacker can send a specially crafted request to the application and force it to use weak encryption.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

HAProxy: 1.9.0 - 1.9.6, 1.8.0 - 1.8.20, 1.7.0 - 1.7.11, 1.3.0 - 1.3.28.14, 1.2.0 - 1.2.18, 1.6.0 - 1.6.14, 1.5.0 - 1.5.19, 1.4.0 - 1.4.27, 1.1.0 - 1.1.34, 1.0.0 - 1.0.2

External links
http://git.haproxy.org/?p=haproxy.git;a=commit;h=8ef706502aa2000531d36e4ac56dbdc7c30f718d
http://www.mail-archive.com/haproxy@formilux.org/msg33410.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restrictions bypass in HAProxy