Enno Sep 5, 2024
awlnx

If you use #haproxy >=2.9, you want to upgrade there is a DoS vector in it.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45506

It was hard to figure out but thanks to the great haproxy team it was mitigated fast! 🥳

#DoS #DDoS #Security

CVE - CVE-2024-45506

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

Sep 5, 2024 at 5:30amWeb
Show threadTheuniSep 5, 2024
@awlnx Great work! That's a hard to understand thing that's happening there. I'm not quite able to follow the explanation easily and am wondering whether this is only exploitable if you're talking directly to haproxy or also if its hidden behind an nginx?
Show threadawlnxSep 5, 2024

@theuni I think it can happen even if it's behind a nginx if nginx isn't multiplexing connections.

It basically happens when you have many connections, which trigger many GOAWAY messages and the buffer is already empty. It might just be even more rare to trigger it.

Show threadTheuniSep 5, 2024
@awlnx Thanks!