"Ubuntu Security Notice USN-7133-1: HAProxy HTTP Request Smuggling Vulnerability"

Canonical has released USN-7133-1, an urgent security notice addressing a critical vulnerability in HAProxy, the high-performance TCP/HTTP load balancer used extensively across modern cloud infrastructure. The flaw, tracked as CVE-2024-53008, affects HAProxy deployments on Ubuntu 24.04 LTS (Noble Numbat) and carries a CVSS score of 5.3, placing it in the medium-severity range — but its practical implications for organizations running HAProxy in production demand immediate attention.

The Vulnerability

Discovered by security researcher Yuki Mogi, CVE-2024-53008 falls into the category of HTTP Request/Response Smuggling — a class of attack where inconsistencies in how a proxy and its backend server parse HTTP request boundaries can be weaponized. The root cause is HAProxy's misinterpretation of specially crafted HTTP requests, specifically those that combine ambiguous or conflicting Content-Length and Transfer-Encoding headers. This ambiguity allows an attacker to "smuggle" a malicious HTTP request past HAProxy's access control layer into the backend server.

Attack Mechanics

HTTP request smuggling exploits the gap between how HAProxy and the backend server determine where one request ends and the next begins. When an attacker sends a request containing both a Content-Length header and a Transfer-Encoding: chunked header — a deliberately ambiguous combination — HAProxy and the backend may disagree on request boundaries. The attacker can then inject a secondary request (such as GET /admin) that gets interpreted as a new, separate request by the backend, bypassing HAProxy's ACL rules entirely.

Critically, this attack requires no authentication, has low complexity, and can be executed over the network without any user interaction. The attacker merely needs to craft a malicious HTTP request and send it to the target HAProxy instance.

Impact and Risk Assessment

While the CVSS score of 5.3 places this at medium severity, the real-world risk should not be underestimated. HAProxy is commonly deployed as the front-line gateway in front of critical application stacks, enforcing ACL rules that restrict access to administrative panels, API endpoints, configuration interfaces, and sensitive data paths. A successful smuggling attack defeats this ACL enforcement entirely.

The concrete impact is threefold:

  1. ACL Bypass: Attackers can reach backend paths explicitly blocked by HAProxy's ACL rules, such as /admin, /internal, or /api/v1/management.
  2. Information Disclosure: Bypassing access controls can expose sensitive data — credentials, internal business information, personal data, API keys, or configuration files — that should have been protected.
  3. Attack Surface Expansion: Once behind the ACL boundary, attackers can probe backend services for additional vulnerabilities that would otherwise be inaccessible from the public internet.

Affected Versions

The vulnerability affects a broad range of HAProxy versions, including 2.6.x (up to 2.6.18), 2.8.x (up to 2.8.10), 2.9.x (up to 2.9.9), and 3.0.x (up to 3.0.2). For Ubuntu 24.04 LTS users specifically, the fixed package version is haproxy 2.8.5-1ubuntu3.2.

Remediation

The fix has been backported into HAProxy's stable release branches. Ubuntu users should apply the standard system update immediately:

sudo apt update && sudo apt upgrade haproxy

After updating, a restart of the HAProxy service is required for the patch to take effect:

sudo systemctl restart haproxy

Mitigation for Delayed Patching

Organizations that cannot immediately patch should consider deploying additional protective layers. Removing ambiguous HTTP headers (Transfer-Encoding, duplicate Content-Length headers) at an upstream WAF or reverse proxy can help blunt the attack. Disabling HTTP/1.1 keep-alive or pipelining where feasible also reduces the attack surface, though both measures come with performance trade-offs.

Broader Context

CVE-2024-53008 is the latest reminder that protocol-level vulnerabilities remain a persistent threat in the web infrastructure stack. HTTP request smuggling has been a recurring theme in security advisories over the past several years, affecting proxies, CDNs, and application servers from multiple vendors. The underlying challenge — that different HTTP implementations parse the same specification differently — is unlikely to disappear. It underscores the importance of keeping infrastructure components up to date, maintaining layered security defenses, and treating even "medium" severity CVEs with the seriousness they deserve when they affect gateway components.


Originally published via Ubuntu Security Notice USN-7133-1 | CVE-2024-53008