#VU98829 Spoofing attack in HAProxy - CVE-2024-49214

Cybersecurity Help s.r.o.

Published: 2024-10-21

Vulnerability identifier: #VU98829

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-49214

CWE-ID: CWE-451

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HAProxy
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: HAProxy

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due QUIC allows opening a 0-RTT session with a spoofed IP address. A remote attacker can spoof their IP address and bypass implemented IP-based security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

HAProxy: 2.9.0 - 2.9.10, 3.0.0 - 3.0.4

External links
https://www.haproxy.org/download/3.1/src/CHANGELOG
https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46
https://www.mail-archive.com/haproxy%40formilux.org/msg45291.html
https://www.mail-archive.com/haproxy%40formilux.org/msg45314.html
https://www.mail-archive.com/haproxy%40formilux.org/msg45315.html
https://www.haproxy.org/download/3.0/src/CHANGELOG
https://www.haproxy.org/download/2.9/src/CHANGELOG

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 24.03 LTS update for haproxy

IP address spoofing in HAProxy