HAProxy and WebConfigurator HTTP/2 DDoS CVEs

dragoangel

https://www.kb.cert.org/vuls/id/605641/
PfSense Stable not have plans to update build-in Nginx and HAProxy 2.x? Or when PfSense 2.5 will be available at stable release?

jimp

I don't see the h2 keyword in the haproxy package, so I don't think HTTP/2 is enabled or possible (without manual changes).

dragoangel

Actually there is h2 support available.
Same as for WebConfigurator (it use nginx).
I'll send proof in 10 mins

dragoangel

HAProxy Package have HTTP/2 support, and it works.

This advanced field actually bugged and not add field to binding, but it have example and there is working field:

Site hosted at HAProxy:

Nginx used for host WebConfigurator have enabled http2, but for me this lower priority CVE then HAProxy - because limited amount of people have usually access to WebConfigurator.

PiBa

@dragoangel
Yes haproxy supports H2. But it seems haproxy itself is not vulnerable to these attacks. Or at least that is what i understand from one the mails from a main developer:

"So I checked between 1.8 and 2.1-dev today and the result is that we're not impacted by these issues"

Which i believe is a response regarding the same set of CVE's.
Link: https://www.mail-archive.com/haproxy@formilux.org/msg34717.html

Unless you have other information then i am sure the haproxy developers would be really interested in that.

dragoangel

Thanks for reply, I will look at it more

dragoangel

Additionally Squid is affected another DoS CVE:
CVE-2019-12525 and CVE-2019-12529 from 3.x to 3.5.28 and from 4.x to 4.7. Now in Package manager Squid version is 3.5.27.