HAProxy and WebConfigurator HTTP/2 DDoS CVEs

dragoangel · Aug 16, 2019, 5:33 AM

https://www.kb.cert.org/vuls/id/605641/
PfSense Stable not have plans to update build-in Nginx and HAProxy 2.x? Or when PfSense 2.5 will be available at stable release?

jimp · Aug 16, 2019, 12:18 PM

I don't see the h2 keyword in the haproxy package, so I don't think HTTP/2 is enabled or possible (without manual changes).

dragoangel · Aug 16, 2019, 12:31 PM

Actually there is h2 support available.
Same as for WebConfigurator (it use nginx).
I'll send proof in 10 mins

dragoangel · Aug 16, 2019, 1:07 PM

HAProxy Package have HTTP/2 support, and it works.

This advanced field actually bugged and not add field to binding, but it have example and there is working field:

Site hosted at HAProxy:

Nginx used for host WebConfigurator have enabled http2, but for me this lower priority CVE then HAProxy - because limited amount of people have usually access to WebConfigurator.

PiBa · Aug 16, 2019, 1:07 PM

@dragoangel
Yes haproxy supports H2. But it seems haproxy itself is not vulnerable to these attacks. Or at least that is what i understand from one the mails from a main developer:

"So I checked between 1.8 and 2.1-dev today and the result is that we're not impacted by these issues"

Which i believe is a response regarding the same set of CVE's.
Link: https://www.mail-archive.com/haproxy@formilux.org/msg34717.html

Unless you have other information then i am sure the haproxy developers would be really interested in that.

dragoangel · Aug 16, 2019, 1:34 PM

Thanks for reply, I will look at it more

dragoangel · Aug 25, 2019, 8:37 AM

Additionally Squid is affected another DoS CVE:
CVE-2019-12525 and CVE-2019-12529 from 3.x to 3.5.28 and from 4.x to 4.7. Now in Package manager Squid version is 3.5.27.