Vulnerabilities > CVE-2019-18277 - HTTP Request Smuggling vulnerability in Haproxy

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

haproxy

CWE-444

nessus

NVD

Published: 2019-10-23

Updated: 2023-11-07

Summary

A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).

Vulnerable Configurations

Part	Description	Count
Application	Haproxy Haproxy Haproxy - Haproxy Haproxy 1.0.0 Haproxy Haproxy 1.0.1 Haproxy Haproxy 1.0.2 Haproxy Haproxy 1.1.0 Haproxy Haproxy 1.1.1 Haproxy Haproxy 1.1.2 Haproxy Haproxy 1.1.3 Haproxy Haproxy 1.1.4 Haproxy Haproxy 1.1.5 Haproxy Haproxy 1.1.6 Haproxy Haproxy 1.1.7 Haproxy Haproxy 1.1.8 Haproxy Haproxy 1.1.9 Haproxy Haproxy 1.1.10 Haproxy Haproxy 1.1.11 Haproxy Haproxy 1.1.12 Haproxy Haproxy 1.1.13 Haproxy Haproxy 1.1.14 Haproxy Haproxy 1.1.15 Haproxy Haproxy 1.1.16 Haproxy Haproxy 1.1.17 Haproxy Haproxy 1.1.18 Haproxy Haproxy 1.1.19 Haproxy Haproxy 1.1.20 Haproxy Haproxy 1.1.21 Haproxy Haproxy 1.1.22 Haproxy Haproxy 1.1.23 Haproxy Haproxy 1.1.24 Haproxy Haproxy 1.1.25 Haproxy Haproxy 1.1.26 Haproxy Haproxy 1.1.27 Haproxy Haproxy 1.2.0 Haproxy Haproxy 1.2.1 Haproxy Haproxy 1.2.2 Haproxy Haproxy 1.2.3 Haproxy Haproxy 1.2.4 Haproxy Haproxy 1.2.5 Haproxy Haproxy 1.2.5.1 Haproxy Haproxy 1.2.5.2 Haproxy Haproxy 1.2.6 Haproxy Haproxy 1.2.7 Haproxy Haproxy 1.2.7.1 Haproxy Haproxy 1.2.8 Haproxy Haproxy 1.2.9 Haproxy Haproxy 1.2.10 Haproxy Haproxy 1.2.10.1 Haproxy Haproxy 1.2.11 Haproxy Haproxy 1.2.11.1 Haproxy Haproxy 1.2.12 Haproxy Haproxy 1.2.13 Haproxy Haproxy 1.2.13.1 Haproxy Haproxy 1.2.14 Haproxy Haproxy 1.2.15 Haproxy Haproxy 1.2.16 Haproxy Haproxy 1.2.17 Haproxy Haproxy 1.2.18 Haproxy Haproxy 1.3.0 Haproxy Haproxy 1.3.1 Haproxy Haproxy 1.3.2 Haproxy Haproxy 1.3.3 Haproxy Haproxy 1.3.4 Haproxy Haproxy 1.3.5 Haproxy Haproxy 1.3.6 Haproxy Haproxy 1.3.6.1 Haproxy Haproxy 1.3.7 Haproxy Haproxy 1.3.8 Haproxy Haproxy 1.3.8.1 Haproxy Haproxy 1.3.8.2 Haproxy Haproxy 1.3.9 Haproxy Haproxy 1.3.10 Haproxy Haproxy 1.3.10.1 Haproxy Haproxy 1.3.10.2 Haproxy Haproxy 1.3.11 Haproxy Haproxy 1.3.11.1 Haproxy Haproxy 1.3.11.2 Haproxy Haproxy 1.3.11.3 Haproxy Haproxy 1.3.11.4 Haproxy Haproxy 1.3.12 Haproxy Haproxy 1.3.12.1 Haproxy Haproxy 1.3.12.2 Haproxy Haproxy 1.3.12.3 Haproxy Haproxy 1.3.12.4 Haproxy Haproxy 1.3.13 Haproxy Haproxy 1.3.13.1 Haproxy Haproxy 1.3.13.2 Haproxy Haproxy 1.3.14 Haproxy Haproxy 1.3.14.1 Haproxy Haproxy 1.3.14.2 Haproxy Haproxy 1.3.14.3 Haproxy Haproxy 1.3.14.4 Haproxy Haproxy 1.3.14.5 Haproxy Haproxy 1.3.14.6 Haproxy Haproxy 1.3.14.7 Haproxy Haproxy 1.3.14.8 Haproxy Haproxy 1.3.14.9 Haproxy Haproxy 1.3.14.10 Haproxy Haproxy 1.3.14.11 Haproxy Haproxy 1.3.14.12 Haproxy Haproxy 1.3.14.13 Haproxy Haproxy 1.3.14.14 Haproxy Haproxy 1.3.15 Haproxy Haproxy 1.3.15.1 Haproxy Haproxy 1.3.15.2 Haproxy Haproxy 1.3.15.3 Haproxy Haproxy 1.3.15.4 Haproxy Haproxy 1.3.15.5 Haproxy Haproxy 1.3.15.6 Haproxy Haproxy 1.3.15.7 Haproxy Haproxy 1.3.15.8 Haproxy Haproxy 1.3.15.9 Haproxy Haproxy 1.3.15.10 Haproxy Haproxy 1.3.15.11 Haproxy Haproxy 1.3.16 Haproxy Haproxy 1.3.17 Haproxy Haproxy 1.3.18 Haproxy Haproxy 1.3.19 Haproxy Haproxy 1.3.20 Haproxy Haproxy 1.3.21 Haproxy Haproxy 1.3.22 Haproxy Haproxy 1.3.23 Haproxy Haproxy 1.4 Haproxy Haproxy 1.4.0 Haproxy Haproxy 1.4.1 Haproxy Haproxy 1.4.2 Haproxy Haproxy 1.4.3 Haproxy Haproxy 1.4.4 Haproxy Haproxy 1.4.5 Haproxy Haproxy 1.4.6 Haproxy Haproxy 1.4.7 Haproxy Haproxy 1.4.8 Haproxy Haproxy 1.4.9 Haproxy Haproxy 1.4.10 Haproxy Haproxy 1.4.11 Haproxy Haproxy 1.4.12 Haproxy Haproxy 1.4.13 Haproxy Haproxy 1.4.14 Haproxy Haproxy 1.4.15 Haproxy Haproxy 1.4.16 Haproxy Haproxy 1.4.17 Haproxy Haproxy 1.4.18 Haproxy Haproxy 1.4.19 Haproxy Haproxy 1.4.20 Haproxy Haproxy 1.4.21 Haproxy Haproxy 1.4.22 Haproxy Haproxy 1.4.23 Haproxy Haproxy 1.4.24 Haproxy Haproxy 1.4.25 Haproxy Haproxy 1.4.26 Haproxy Haproxy 1.4.27 Haproxy Haproxy 1.5 Haproxy Haproxy 1.5.0 Haproxy Haproxy 1.5.1 Haproxy Haproxy 1.5.2 Haproxy Haproxy 1.5.3 Haproxy Haproxy 1.5.4 Haproxy Haproxy 1.5.5 Haproxy Haproxy 1.5.6 Haproxy Haproxy 1.5.7 Haproxy Haproxy 1.5.8 Haproxy Haproxy 1.5.9 Haproxy Haproxy 1.5.10 Haproxy Haproxy 1.5.11 Haproxy Haproxy 1.5.12 Haproxy Haproxy 1.5.13 Haproxy Haproxy 1.5.14 Haproxy Haproxy 1.5.15 Haproxy Haproxy 1.5.16 Haproxy Haproxy 1.5.17 Haproxy Haproxy 1.5.18 Haproxy Haproxy 1.6 Haproxy Haproxy 1.6.0 Haproxy Haproxy 1.6.1 Haproxy Haproxy 1.6.2 Haproxy Haproxy 1.6.3 Haproxy Haproxy 1.6.4 Haproxy Haproxy 1.6.5 Haproxy Haproxy 1.6.6 Haproxy Haproxy 1.6.7 Haproxy Haproxy 1.6.8 Haproxy Haproxy 1.6.9 Haproxy Haproxy 1.6.10 Haproxy Haproxy 1.6.11 Haproxy Haproxy 1.6.12 Haproxy Haproxy 1.6.13 Haproxy Haproxy 1.6.14 Haproxy Haproxy 1.7.0 Haproxy Haproxy 1.7.1 Haproxy Haproxy 1.7.2 Haproxy Haproxy 1.7.3 Haproxy Haproxy 1.7.4 Haproxy Haproxy 1.7.5 Haproxy Haproxy 1.7.6 Haproxy Haproxy 1.7.7 Haproxy Haproxy 1.7.8 Haproxy Haproxy 1.7.9 Haproxy Haproxy 1.7.10 Haproxy Haproxy 1.7.11 Haproxy Haproxy 1.8.0 Haproxy Haproxy 1.8.1 Haproxy Haproxy 1.8.2 Haproxy Haproxy 1.8.3 Haproxy Haproxy 1.8.4 Haproxy Haproxy 1.8.5 Haproxy Haproxy 1.8.6 Haproxy Haproxy 1.8.7 Haproxy Haproxy 1.8.8 Haproxy Haproxy 1.8.9 Haproxy Haproxy 1.8.10 Haproxy Haproxy 1.8.11 Haproxy Haproxy 1.8.12 Haproxy Haproxy 1.8.13 Haproxy Haproxy 1.8.14 Haproxy Haproxy 1.8.15 Haproxy Haproxy 1.8.16 Haproxy Haproxy 1.8.17 Haproxy Haproxy 1.8.18 Haproxy Haproxy 1.8.19 Haproxy Haproxy 1.8.20 Haproxy Haproxy 1.8.21 Haproxy Haproxy 1.9.0 Haproxy Haproxy 1.9.1 Haproxy Haproxy 1.9.2 Haproxy Haproxy 1.9.3 Haproxy Haproxy 1.9.4 Haproxy Haproxy 1.9.5 Haproxy Haproxy 1.9.6 Haproxy Haproxy 1.9.7 Haproxy Haproxy 1.9.8 Haproxy Haproxy 1.9.9 Haproxy Haproxy 1.9.10 Haproxy Haproxy 2.0.0 Haproxy Haproxy 2.0.1 Haproxy Haproxy 2.0.2 Haproxy Haproxy 2.0.3 Haproxy Haproxy 2.0.4 Haproxy Haproxy 2.0.5	270

Common Weakness Enumeration (CWE)

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Common Attack Pattern Enumeration and Classification (CAPEC)

HTTP Request Splitting
HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.
HTTP Request Smuggling
HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.

Nessus

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2019-2645.NASL
description	This update for haproxy to version 2.0.10 fixes the following issues : HAProxy was updated to 2.0.10 Security issues fixed : - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with transfer-encoding header missing the
last seen	2020-06-01
modified	2020-06-02
plugin id	131721
published	2019-12-05
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131721
title	openSUSE Security Update : haproxy (openSUSE-2019-2645)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-2645. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(131721); script_version("1.2"); script_cvs_date("Date: 2019/12/09"); script_cve_id("CVE-2019-18277"); script_name(english:"openSUSE Security Update : haproxy (openSUSE-2019-2645)"); script_summary(english:"Check for the openSUSE-2019-2645 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for haproxy to version 2.0.10 fixes the following issues : HAProxy was updated to 2.0.10 Security issues fixed : - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with transfer-encoding header missing the 'chunked' (bsc#1154980). - Fixed an improper handling of headers which could have led to injecting LFs in H2-to-H1 transfers creating new attack space (bsc#1157712) - Fixed an issue where HEADER frames in idle streams are not rejected and thus trying to decode them HAPrpxy crashes (bsc#1157714). Other issue addressed : - Macro change in the spec file (bsc#1082318) More information regarding the release at: http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d46151555 1b95daae20954b3053ce87e This update was imported from the SUSE:SLE-15-SP1:Update update project." ); # http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6e2d3256" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082318" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1154980" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1157712" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1157714" ); script_set_attribute( attribute:"solution", value:"Update the affected haproxy packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.1", reference:"haproxy-2.0.10+git0.ac198b92-lp151.2.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"haproxy-debuginfo-2.0.10+git0.ac198b92-lp151.2.6.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"haproxy-debugsource-2.0.10+git0.ac198b92-lp151.2.6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy / haproxy-debuginfo / haproxy-debugsource"); }

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2019-2626.NASL
description	This update for haproxy to version 2.0.10 fixes the following issues : HAProxy was updated to 2.0.10 Security issues fixed : - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with transfer-encoding header missing the
last seen	2020-06-01
modified	2020-06-02
plugin id	131688
published	2019-12-04
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131688
title	openSUSE Security Update : haproxy (openSUSE-2019-2626)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-2626. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(131688); script_version("1.2"); script_cvs_date("Date: 2019/12/09"); script_cve_id("CVE-2019-18277"); script_name(english:"openSUSE Security Update : haproxy (openSUSE-2019-2626)"); script_summary(english:"Check for the openSUSE-2019-2626 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for haproxy to version 2.0.10 fixes the following issues : HAProxy was updated to 2.0.10 Security issues fixed : - CVE-2019-18277: Fixed a potential HTTP smuggling in messages with transfer-encoding header missing the 'chunked' (bsc#1154980). - Fixed an improper handling of headers which could have led to injecting LFs in H2-to-H1 transfers creating new attack space (bsc#1157712) - Fixed an issue where HEADER frames in idle streams are not rejected and thus trying to decode them HAPrpxy crashes (bsc#1157714). Other issue addressed : - Macro change in the spec file (bsc#1082318) More information regarding the release at: http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d46151555 1b95daae20954b3053ce87e This update was imported from the SUSE:SLE-15:Update update project." ); # http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6e2d3256" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082318" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1154980" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1157712" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1157714" ); script_set_attribute( attribute:"solution", value:"Update the affected haproxy packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:haproxy-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"haproxy-2.0.10+git0.ac198b92-lp150.2.16.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"haproxy-debuginfo-2.0.10+git0.ac198b92-lp150.2.16.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"haproxy-debugsource-2.0.10+git0.ac198b92-lp150.2.16.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy / haproxy-debuginfo / haproxy-debugsource"); }

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2020-1105.NASL
description	According to the version of the haproxy package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the
last seen	2020-05-06
modified	2020-02-24
plugin id	133906
published	2020-02-24
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133906
title	EulerOS 2.0 SP5 : haproxy (EulerOS-SA-2020-1105)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(133906); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2019-18277" ); script_name(english:"EulerOS 2.0 SP5 : haproxy (EulerOS-SA-2020-1105)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the haproxy package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the 'chunked' value were not being correctly rejected. The impact was limited but if combined with the 'http-reuse always' setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).(CVE-2019-18277) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1105 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?47e06ba6"); script_set_attribute(attribute:"solution", value: "Update the affected haproxy package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/24"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:haproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) \|\| sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["haproxy-1.5.18-7.h1.eulerosv2r7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy"); }

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2020-1523.NASL
description	According to the version of the haproxy package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the
last seen	2020-05-08
modified	2020-05-01
plugin id	136226
published	2020-05-01
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136226
title	EulerOS Virtualization for ARM 64 3.0.2.0 : haproxy (EulerOS-SA-2020-1523)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(136226); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2019-18277" ); script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : haproxy (EulerOS-SA-2020-1523)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS Virtualization for ARM 64 host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the haproxy package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the 'chunked' value were not being correctly rejected. The impact was limited but if combined with the 'http-reuse always' setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).(CVE-2019-18277) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1523 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?06a07fc0"); script_set_attribute(attribute:"solution", value: "Update the affected haproxy package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:haproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0"); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu); flag = 0; pkgs = ["haproxy-1.5.18-7.h1"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy"); }

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-4174-1.NASL
description	It was discovered that HAproxy incorrectly handled certain HTTP requests. An attacker could possibly use this issue to a privilege escalation (Request Smuggling). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	130587
published	2019-11-06
reporter	Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130587
title	Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : haproxy vulnerability (USN-4174-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-4174-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(130587); script_version("1.3"); script_cvs_date("Date: 2019/12/17"); script_cve_id("CVE-2019-18277"); script_xref(name:"USN", value:"4174-1"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : haproxy vulnerability (USN-4174-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "It was discovered that HAproxy incorrectly handled certain HTTP requests. An attacker could possibly use this issue to a privilege escalation (Request Smuggling). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/4174-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected haproxy package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:haproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(16\.04\|18\.04\|19\.04\|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.04 / 19.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"haproxy", pkgver:"1.6.3-1ubuntu0.3")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"haproxy", pkgver:"1.8.8-1ubuntu0.7")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"haproxy", pkgver:"1.8.19-1ubuntu1.2")) flag++; if (ubuntu_check(osver:"19.10", pkgname:"haproxy", pkgver:"2.0.5-1ubuntu0.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy"); }

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2019-2_0-0187_HAPROXY.NASL
description	An update of the haproxy package has been released.
last seen	2020-06-01
modified	2020-06-02
plugin id	132542
published	2019-12-31
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132542
title	Photon OS 2.0: Haproxy PHSA-2019-2.0-0187
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2019-2.0-0187. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(132542); script_version("1.2"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2019-18277"); script_name(english:"Photon OS 2.0: Haproxy PHSA-2019-2.0-0187"); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the haproxy package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-187.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-18277"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:haproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) \|\| release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux\|OS) 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"haproxy-2.0.6-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"haproxy-debuginfo-2.0.6-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", cpu:"x86_64", reference:"haproxy-doc-2.0.6-1.ph2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy"); }

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2019-3_0-0038_HAPROXY.NASL
description	An update of the haproxy package has been released.
last seen	2020-06-01
modified	2020-06-02
plugin id	132589
published	2020-01-02
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132589
title	Photon OS 3.0: Haproxy PHSA-2019-3.0-0038
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2019-3.0-0038. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(132589); script_version("1.2"); script_cvs_date("Date: 2020/01/03"); script_cve_id("CVE-2019-18277"); script_name(english:"Photon OS 3.0: Haproxy PHSA-2019-3.0-0038"); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the haproxy package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-3.0-0038.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-18277"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/02"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:haproxy"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:3.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) \|\| release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux\|OS) 3\.0(\D\|$)") audit(AUDIT_OS_NOT, "PhotonOS 3.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_exists(rpm:"haproxy-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"aarch64", reference:"haproxy-2.0.3-2.ph3")) flag++; if (rpm_exists(rpm:"haproxy-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"haproxy-2.0.3-2.ph3")) flag++; if (rpm_exists(rpm:"haproxy-debuginfo-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"aarch64", reference:"haproxy-debuginfo-2.0.3-2.ph3")) flag++; if (rpm_exists(rpm:"haproxy-debuginfo-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"haproxy-debuginfo-2.0.3-2.ph3")) flag++; if (rpm_exists(rpm:"haproxy-doc-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"aarch64", reference:"haproxy-doc-2.0.3-2.ph3")) flag++; if (rpm_exists(rpm:"haproxy-doc-2.0", release:"PhotonOS-3.0") && rpm_check(release:"PhotonOS-3.0", cpu:"x86_64", reference:"haproxy-doc-2.0.3-2.ph3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "haproxy"); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-1936.NASL
description	The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1936 advisory. - haproxy: HTTP request smuggling issue with transfer- encoding header containing an obfuscated chunked value (CVE-2019-18277) - haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330) - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-05-08
modified	2020-05-05
plugin id	136319
published	2020-05-05
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136319
title	RHEL 7 / 8 : OpenShift Container Platform 4.4.3 haproxy (RHSA-2020:1936)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:1936. The text # itself is copyright (C) Red Hat, Inc. # include('compat.inc'); if (description) { script_id(136319); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06"); script_cve_id("CVE-2019-18277", "CVE-2019-19330", "CVE-2020-11100"); script_xref(name:"RHSA", value:"2020:1936"); script_name(english:"RHEL 7 / 8 : OpenShift Container Platform 4.4.3 haproxy (RHSA-2020:1936)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute(attribute:"synopsis", value: "The remote Red Hat host is missing one or more security updates."); script_set_attribute(attribute:"description", value: "The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1936 advisory. - haproxy: HTTP request smuggling issue with transfer- encoding header containing an obfuscated chunked value (CVE-2019-18277) - haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330) - haproxy: malformed HTTP/2 requests can lead to out-of- bounds writes (CVE-2020-11100) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/444.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/787.html"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1936"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-18277"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-19330"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-11100"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1759697"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1777584"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1819111"); script_set_attribute(attribute:"solution", value: "Update the affected haproxy-debugsource and / or haproxy20 packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-19330"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 444, 787); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/05/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/05"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:openshift:4.4"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:openshift:4.4::el7"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:openshift:4.4::el8"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('rpm.inc'); if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item('Host/RedHat/release'); if (isnull(release) \|\| 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat'); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat'); os_ver = os_ver[1]; if (! preg(pattern:"^(7\|8)([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x / 8.x', 'Red Hat ' + os_ver); if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item('Host/cpu'); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu); pkgs = [ {'reference':'haproxy20-2.0.13-3.el7', 'cpu':'x86_64', 'release':'7'}, {'reference':'haproxy-debugsource-2.0.13-3.el8', 'cpu':'x86_64', 'release':'8'}, {'reference':'haproxy20-2.0.13-3.el8', 'cpu':'x86_64', 'release':'8'} ]; flag = 0; foreach package_array ( pkgs ) { reference = NULL; release = NULL; sp = NULL; cpu = NULL; el_string = NULL; rpm_spec_vers_cmp = NULL; epoch = NULL; if (!empty_or_null(package_array['reference'])) reference = package_array['reference']; if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release']; if (!empty_or_null(package_array['sp'])) sp = package_array['sp']; if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu']; if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string']; if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp']; if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch']; if (reference && release) { if (rpm_spec_vers_cmp) { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++; } else { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++; } } } if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'haproxy-debugsource / haproxy20'); }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-1725.NASL
description	The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1725 advisory. - haproxy: HTTP request smuggling issue with transfer- encoding header containing an obfuscated chunked value (CVE-2019-18277) - haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-04-30
modified	2020-04-28
plugin id	136052
published	2020-04-28
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136052
title	RHEL 8 : haproxy (RHSA-2020:1725)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:1725. The text # itself is copyright (C) Red Hat, Inc. # include('compat.inc'); if (description) { script_id(136052); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/29"); script_cve_id("CVE-2019-18277", "CVE-2019-19330"); script_xref(name:"RHSA", value:"2020:1725"); script_name(english:"RHEL 8 : haproxy (RHSA-2020:1725)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute(attribute:"synopsis", value: "The remote Red Hat host is missing one or more security updates."); script_set_attribute(attribute:"description", value: "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1725 advisory. - haproxy: HTTP request smuggling issue with transfer- encoding header containing an obfuscated chunked value (CVE-2019-18277) - haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks (CVE-2019-19330) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/444.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1725"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-18277"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-19330"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1759697"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1777584"); script_set_attribute(attribute:"solution", value: "Update the affected haproxy and / or haproxy-debugsource packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-19330"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(20, 444); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8::appstream"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:haproxy-debugsource"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('rpm.inc'); if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item('Host/RedHat/release'); if (isnull(release) \|\| 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat'); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat'); os_ver = os_ver[1]; if (! preg(pattern:"^8([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver); if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item('Host/cpu'); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu); pkgs = [ {'reference':'haproxy-1.8.23-3.el8', 'cpu':'aarch64', 'release':'8'}, {'reference':'haproxy-1.8.23-3.el8', 'cpu':'s390x', 'release':'8'}, {'reference':'haproxy-1.8.23-3.el8', 'cpu':'x86_64', 'release':'8'}, {'reference':'haproxy-debugsource-1.8.23-3.el8', 'cpu':'aarch64', 'release':'8'}, {'reference':'haproxy-debugsource-1.8.23-3.el8', 'cpu':'s390x', 'release':'8'}, {'reference':'haproxy-debugsource-1.8.23-3.el8', 'cpu':'x86_64', 'release':'8'} ]; flag = 0; foreach package_array ( pkgs ) { reference = NULL; release = NULL; sp = NULL; cpu = NULL; el_string = NULL; rpm_spec_vers_cmp = NULL; epoch = NULL; if (!empty_or_null(package_array['reference'])) reference = package_array['reference']; if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release']; if (!empty_or_null(package_array['sp'])) sp = package_array['sp']; if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu']; if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string']; if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp']; if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch']; if (reference && release) { if (rpm_spec_vers_cmp) { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++; } else { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++; } } } if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'haproxy / haproxy-debugsource'); }

Redhat

rpms

haproxy-debuginfo-0:1.8.23-3.el7
haproxy18-0:1.8.23-3.el7
haproxy-0:1.8.23-3.el8
haproxy-debuginfo-0:1.8.23-3.el8
haproxy-debugsource-0:1.8.23-3.el8
haproxy-debuginfo-0:2.0.13-3.el7
haproxy-debugsource-0:2.0.13-3.el8
haproxy20-0:2.0.13-3.el7
haproxy20-0:2.0.13-3.el8
haproxy20-debuginfo-0:2.0.13-3.el8
rh-haproxy18-haproxy-0:1.8.24-2.el7
rh-haproxy18-haproxy-debuginfo-0:1.8.24-2.el7
rh-haproxy18-haproxy-syspaths-0:1.8.24-2.el7

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

References