Vulnerabilities > CVE-2019-18277 - HTTP Request Smuggling vulnerability in Haproxy
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- HTTP Request Splitting HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.
- HTTP Request Smuggling HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2645.NASL description This update for haproxy to version 2.0.10 fixes the following issues : HAProxy was updated to 2.0.10 	 Security issues fixed : - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with transfer-encoding header missing the last seen 2020-06-01 modified 2020-06-02 plugin id 131721 published 2019-12-05 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131721 title openSUSE Security Update : haproxy (openSUSE-2019-2645) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-2645. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(131721); script_version("1.2"); script_cvs_date("Date: 2019/12/09"); script_cve_id("CVE-2019-18277"); script_name(english:"openSUSE Security Update : haproxy (openSUSE-2019-2645)"); script_summary(english:"Check for the openSUSE-2019-2645 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for haproxy to version 2.0.10 fixes the following issues : HAProxy was updated to 2.0.10 	 Security issues fixed : - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with transfer-encoding header missing the 'chunked' (bsc#1154980). - Fixed an improper handling of headers which could have led to injecting LFs in H2-to-H1 transfers creating new attack space (bsc#1157712) - Fixed an issue where HEADER frames in idle streams are not rejected and thus trying to decode them HAPrpxy crashes (bsc#1157714). Other issue addressed : - Macro change in the spec file (bsc#1082318) More information regarding the release at: http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d46151555 1b95daae20954b3053ce87e	 This update was imported from the SUSE:SLE-15-SP1:Update update project." ); # http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6e2d3256" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082318" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1154980" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1157712" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1157714" ); script_set_attribute( attribute:"solution", value:"Update the affected haproxy packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.1", reference:"haproxy-2.0.10+git0.ac198b92-lp151.2.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"haproxy-debuginfo-2.0.10+git0.ac198b92-lp151.2.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"haproxy-debugsource-2.0.10+git0.ac198b92-lp151.2.6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy / haproxy-debuginfo / haproxy-debugsource"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2626.NASL description This update for haproxy to version 2.0.10 fixes the following issues : HAProxy was updated to 2.0.10 	 Security issues fixed : - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with transfer-encoding header missing the last seen 2020-06-01 modified 2020-06-02 plugin id 131688 published 2019-12-04 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131688 title openSUSE Security Update : haproxy (openSUSE-2019-2626) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-2626. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(131688); script_version("1.2"); script_cvs_date("Date: 2019/12/09"); script_cve_id("CVE-2019-18277"); script_name(english:"openSUSE Security Update : haproxy (openSUSE-2019-2626)"); script_summary(english:"Check for the openSUSE-2019-2626 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for haproxy to version 2.0.10 fixes the following issues : HAProxy was updated to 2.0.10 	 Security issues fixed : - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with transfer-encoding header missing the 'chunked' (bsc#1154980). - Fixed an improper handling of headers which could have led to injecting LFs in H2-to-H1 transfers creating new attack space (bsc#1157712) - Fixed an issue where HEADER frames in idle streams are not rejected and thus trying to decode them HAPrpxy crashes (bsc#1157714). Other issue addressed : - Macro change in the spec file (bsc#1082318) More information regarding the release at: http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d46151555 1b95daae20954b3053ce87e This update was imported from the SUSE:SLE-15:Update update project." ); # http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6e2d3256" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082318" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1154980" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1157712" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1157714" ); script_set_attribute( attribute:"solution", value:"Update the affected haproxy packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"haproxy-2.0.10+git0.ac198b92-lp150.2.16.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"haproxy-debuginfo-2.0.10+git0.ac198b92-lp150.2.16.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"haproxy-debugsource-2.0.10+git0.ac198b92-lp150.2.16.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy / haproxy-debuginfo / haproxy-debugsource"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1105.NASL description According to the version of the haproxy package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the last seen 2020-05-06 modified 2020-02-24 plugin id 133906 published 2020-02-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133906 title EulerOS 2.0 SP5 : haproxy (EulerOS-SA-2020-1105) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(133906); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2019-18277" ); script_name(english:"EulerOS 2.0 SP5 : haproxy (EulerOS-SA-2020-1105)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the haproxy package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the 'chunked' value were not being correctly rejected. The impact was limited but if combined with the 'http-reuse always' setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).(CVE-2019-18277) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1105 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?47e06ba6"); script_set_attribute(attribute:"solution", value: "Update the affected haproxy package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/24"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:haproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["haproxy-1.5.18-7.h1.eulerosv2r7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1523.NASL description According to the version of the haproxy package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the last seen 2020-05-08 modified 2020-05-01 plugin id 136226 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136226 title EulerOS Virtualization for ARM 64 3.0.2.0 : haproxy (EulerOS-SA-2020-1523) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(136226); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2019-18277" ); script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : haproxy (EulerOS-SA-2020-1523)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS Virtualization for ARM 64 host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the haproxy package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the 'chunked' value were not being correctly rejected. The impact was limited but if combined with the 'http-reuse always' setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).(CVE-2019-18277) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1523 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?06a07fc0"); script_set_attribute(attribute:"solution", value: "Update the affected haproxy package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:haproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0"); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu); flag = 0; pkgs = ["haproxy-1.5.18-7.h1"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4174-1.NASL description It was discovered that HAproxy incorrectly handled certain HTTP requests. An attacker could possibly use this issue to a privilege escalation (Request Smuggling). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 130587 published 2019-11-06 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130587 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : haproxy vulnerability (USN-4174-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-4174-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(130587); script_version("1.3"); script_cvs_date("Date: 2019/12/17"); script_cve_id("CVE-2019-18277"); script_xref(name:"USN", value:"4174-1"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : haproxy vulnerability (USN-4174-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "It was discovered that HAproxy incorrectly handled certain HTTP requests. An attacker could possibly use this issue to a privilege escalation (Request Smuggling). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/4174-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected haproxy package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:haproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(16\.04|18\.04|19\.04|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.04 / 19.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"haproxy", pkgver:"1.6.3-1ubuntu0.3")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"haproxy", pkgver:"1.8.8-1ubuntu0.7")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"haproxy", pkgver:"1.8.19-1ubuntu1.2")) flag++; if (ubuntu_check(osver:"19.10", pkgname:"haproxy", pkgver:"2.0.5-1ubuntu0.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy"); }
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-2_0-0187_HAPROXY.NASL description An update of the haproxy package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 132542 published 2019-12-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132542 title Photon OS 2.0: Haproxy PHSA-2019-2.0-0187 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2019-2.0-0187. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(132542); script_version("1.2"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2019-18277"); script_name(english:"Photon OS 2.0: Haproxy PHSA-2019-2.0-0187"); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the haproxy package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-187.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-18277"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:haproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"haproxy-2.0.6-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"haproxy-debuginfo-2.0.6-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"haproxy-doc-2.0.6-1.ph2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy"); }
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-3_0-0038_HAPROXY.NASL description An update of the haproxy package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 132589 published 2020-01-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132589 title Photon OS 3.0: Haproxy PHSA-2019-3.0-0038 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2019-3.0-0038. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(132589); script_version("1.2"); script_cvs_date("Date: 2020/01/03"); script_cve_id("CVE-2019-18277"); script_name(english:"Photon OS 3.0: Haproxy PHSA-2019-3.0-0038"); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the haproxy package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-3.0-0038.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-18277"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/02"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:haproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:3.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 3\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 3.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_exists(rpm:"haproxy-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"aarch64", reference:"haproxy-2.0.3-2.ph3")) flag++; if (rpm_exists(rpm:"haproxy-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"haproxy-2.0.3-2.ph3")) flag++; if (rpm_exists(rpm:"haproxy-debuginfo-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"aarch64", reference:"haproxy-debuginfo-2.0.3-2.ph3")) flag++; if (rpm_exists(rpm:"haproxy-debuginfo-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"haproxy-debuginfo-2.0.3-2.ph3")) flag++; if (rpm_exists(rpm:"haproxy-doc-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"aarch64", reference:"haproxy-doc-2.0.3-2.ph3")) flag++; if (rpm_exists(rpm:"haproxy-doc-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"haproxy-doc-2.0.3-2.ph3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1936.NASL description The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1936 advisory. - haproxy: HTTP request smuggling issue with transfer- encoding header containing an obfuscated chunked value (CVE-2019-18277) - haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330) - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-05-08 modified 2020-05-05 plugin id 136319 published 2020-05-05 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136319 title RHEL 7 / 8 : OpenShift Container Platform 4.4.3 haproxy (RHSA-2020:1936) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:1936. The text # itself is copyright (C) Red Hat, Inc. # include('compat.inc'); if (description) { script_id(136319); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06"); script_cve_id("CVE-2019-18277", "CVE-2019-19330", "CVE-2020-11100"); script_xref(name:"RHSA", value:"2020:1936"); script_name(english:"RHEL 7 / 8 : OpenShift Container Platform 4.4.3 haproxy (RHSA-2020:1936)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute(attribute:"synopsis", value: "The remote Red Hat host is missing one or more security updates."); script_set_attribute(attribute:"description", value: "The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1936 advisory. - haproxy: HTTP request smuggling issue with transfer- encoding header containing an obfuscated chunked value (CVE-2019-18277) - haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330) - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/444.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/787.html"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1936"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-18277"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-19330"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-11100"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1759697"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1777584"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1819111"); script_set_attribute(attribute:"solution", value: "Update the affected haproxy-debugsource and / or haproxy20 packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-19330"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 444, 787); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/05/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/05"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:openshift:4.4"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:openshift:4.4::el7"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:openshift:4.4::el8"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('rpm.inc'); if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item('Host/RedHat/release'); if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat'); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat'); os_ver = os_ver[1]; if (! preg(pattern:"^(7|8)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x / 8.x', 'Red Hat ' + os_ver); if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item('Host/cpu'); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu); pkgs = [ {'reference':'haproxy20-2.0.13-3.el7', 'cpu':'x86_64', 'release':'7'}, {'reference':'haproxy-debugsource-2.0.13-3.el8', 'cpu':'x86_64', 'release':'8'}, {'reference':'haproxy20-2.0.13-3.el8', 'cpu':'x86_64', 'release':'8'} ]; flag = 0; foreach package_array ( pkgs ) { reference = NULL; release = NULL; sp = NULL; cpu = NULL; el_string = NULL; rpm_spec_vers_cmp = NULL; epoch = NULL; if (!empty_or_null(package_array['reference'])) reference = package_array['reference']; if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release']; if (!empty_or_null(package_array['sp'])) sp = package_array['sp']; if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu']; if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string']; if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp']; if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch']; if (reference && release) { if (rpm_spec_vers_cmp) { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++; } else { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++; } } } if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'haproxy-debugsource / haproxy20'); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1725.NASL description The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1725 advisory. - haproxy: HTTP request smuggling issue with transfer- encoding header containing an obfuscated chunked value (CVE-2019-18277) - haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-30 modified 2020-04-28 plugin id 136052 published 2020-04-28 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136052 title RHEL 8 : haproxy (RHSA-2020:1725) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:1725. The text # itself is copyright (C) Red Hat, Inc. # include('compat.inc'); if (description) { script_id(136052); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/29"); script_cve_id("CVE-2019-18277", "CVE-2019-19330"); script_xref(name:"RHSA", value:"2020:1725"); script_name(english:"RHEL 8 : haproxy (RHSA-2020:1725)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute(attribute:"synopsis", value: "The remote Red Hat host is missing one or more security updates."); script_set_attribute(attribute:"description", value: "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1725 advisory. - haproxy: HTTP request smuggling issue with transfer- encoding header containing an obfuscated chunked value (CVE-2019-18277) - haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/444.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1725"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-18277"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-19330"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1759697"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1777584"); script_set_attribute(attribute:"solution", value: "Update the affected haproxy and / or haproxy-debugsource packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-19330"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(20, 444); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8::appstream"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy-debugsource"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('rpm.inc'); if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item('Host/RedHat/release'); if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat'); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat'); os_ver = os_ver[1]; if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver); if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item('Host/cpu'); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu); pkgs = [ {'reference':'haproxy-1.8.23-3.el8', 'cpu':'aarch64', 'release':'8'}, {'reference':'haproxy-1.8.23-3.el8', 'cpu':'s390x', 'release':'8'}, {'reference':'haproxy-1.8.23-3.el8', 'cpu':'x86_64', 'release':'8'}, {'reference':'haproxy-debugsource-1.8.23-3.el8', 'cpu':'aarch64', 'release':'8'}, {'reference':'haproxy-debugsource-1.8.23-3.el8', 'cpu':'s390x', 'release':'8'}, {'reference':'haproxy-debugsource-1.8.23-3.el8', 'cpu':'x86_64', 'release':'8'} ]; flag = 0; foreach package_array ( pkgs ) { reference = NULL; release = NULL; sp = NULL; cpu = NULL; el_string = NULL; rpm_spec_vers_cmp = NULL; epoch = NULL; if (!empty_or_null(package_array['reference'])) reference = package_array['reference']; if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release']; if (!empty_or_null(package_array['sp'])) sp = package_array['sp']; if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu']; if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string']; if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp']; if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch']; if (reference && release) { if (rpm_spec_vers_cmp) { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++; } else { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++; } } } if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'haproxy / haproxy-debugsource'); }
Redhat
rpms |
|
References
- https://nathandavison.com/blog/haproxy-http-request-smuggling
- https://usn.ubuntu.com/4174-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00019.html
- https://lists.debian.org/debian-lts-announce/2022/05/msg00045.html
- https://www.mail-archive.com/haproxy%40formilux.org/msg34926.html
- https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=196a7df44d8129d1adc795da020b722614d6a581