Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    HAProxy and WebConfigurator HTTP/2 DDoS CVEs

    Cache/Proxy
    3
    7
    286
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dragoangel
      dragoangel last edited by dragoangel

      https://www.kb.cert.org/vuls/id/605641/
      PfSense Stable not have plans to update build-in Nginx and HAProxy 2.x? Or when PfSense 2.5 will be available at stable release?

      Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
      Unifi AP-AC-LR with EAP RADIUS, US-24

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        I don't see the h2 keyword in the haproxy package, so I don't think HTTP/2 is enabled or possible (without manual changes).

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • dragoangel
          dragoangel last edited by

          Actually there is h2 support available.
          Same as for WebConfigurator (it use nginx).
          I'll send proof in 10 mins ☺

          Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
          Unifi AP-AC-LR with EAP RADIUS, US-24

          1 Reply Last reply Reply Quote 0
          • dragoangel
            dragoangel last edited by dragoangel

            HAProxy Package have HTTP/2 support, and it works.
            3c930408-e2ae-438c-ae5c-abf968c6bb56-image.png
            This advanced field actually bugged and not add field to binding, but it have example and there is working field:
            987cc564-4411-45ff-a795-b77567add6f1-image.png
            Site hosted at HAProxy:
            5ce28bec-75cf-497d-95e1-364df71c8f32-image.png
            Nginx used for host WebConfigurator have enabled http2, but for me this lower priority CVE then HAProxy - because limited amount of people have usually access to WebConfigurator.
            09b12108-0d5a-4c47-9f03-f067e194c64d-image.png

            Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
            Unifi AP-AC-LR with EAP RADIUS, US-24

            P 1 Reply Last reply Reply Quote 0
            • P
              PiBa @dragoangel last edited by

              @dragoangel
              Yes haproxy supports H2. But it seems haproxy itself is not vulnerable to these attacks. Or at least that is what i understand from one the mails from a main developer:

              "So I checked between 1.8 and 2.1-dev today and the result is that we're not impacted by these issues"

              Which i believe is a response regarding the same set of CVE's.
              Link: https://www.mail-archive.com/haproxy@formilux.org/msg34717.html

              Unless you have other information then i am sure the haproxy developers would be really interested in that.

              1 Reply Last reply Reply Quote 0
              • dragoangel
                dragoangel last edited by

                Thanks for reply, I will look at it more

                Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                Unifi AP-AC-LR with EAP RADIUS, US-24

                1 Reply Last reply Reply Quote 0
                • dragoangel
                  dragoangel last edited by

                  Additionally Squid is affected another DoS CVE:
                  CVE-2019-12525 and CVE-2019-12529 from 3.x to 3.5.28 and from 4.x to 4.7. Now in Package manager Squid version is 3.5.27.

                  Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                  Unifi AP-AC-LR with EAP RADIUS, US-24

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post