CVE-2018-20615 - Out-of-bounds Read

Severity

50%

Complexity

99%

Confidentiality

48%

An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x through 1.9.0 which can result in a crash. The processing of the PRIORITY flag in a HEADERS frame requires 5 extra bytes, and while these bytes are skipped, the total frame length was not re-checked to make sure they were present in the frame.

An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x through 1.9.0 which can result in a crash. The processing of the PRIORITY flag in a HEADERS frame requires 5 extra bytes, and while these bytes are skipped, the total frame length was not re-checked to make sure they were present in the frame.

CVSS 3.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P).

Demo Examples

Out-of-bounds Read

CWE-125

In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method


               
}

                     
return value;// check that the array index is less than the maximum// length of the array

                           
value = array[index];// get the value at the specified index of the array
// if array index is invalid then output error message// and return value indicating error
value = -1;

However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in a out of bounds read (CWE-125) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.


               
...// check that the array index is within the correct// range of values for the array

Overview

First reported 5 years ago

2019-03-21 16:00:00

Last updated 5 years ago

2019-04-25 12:57:00

Affected Software

HAProxy

HAProxy 1.9.0

1.9.0

HAProxy 1.9.0 Dev 0

1.9.0

HAProxy 1.9.0 Dev 1

1.9.0

HAProxy 1.9.0 Dev 10

1.9.0

HAProxy 1.9.0 Dev 11

1.9.0

HAProxy 1.9.0 Dev 2

1.9.0

HAProxy 1.9.0 Dev 3

1.9.0

HAProxy 1.9.0 Dev 4

1.9.0

HAProxy 1.9.0 Dev 5

1.9.0

HAProxy 1.9.0 Dev 6

1.9.0

HAProxy 1.9.0 Dev 7

1.9.0

HAProxy 1.9.0 Dev 8

1.9.0

HAProxy 1.9.0 Dev 9

1.9.0

openSUSE Leap 15.0

15.0

Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)

16.04

Canonical Ubuntu Linux 18.04 LTS Edition

18.04

Canonical Ubuntu Linux 18.10

18.10

Red Hat OpenShift Container Platform 3.11

3.11

Red Hat Enterprise Linux (RHEL) 7.0 (7)

7.0

Red Hat Enterprise Linux 7.4

7.4

Red Hat Enterprise Linux 7.5

7.5

Red Hat Enterprise Linux 7.6

7.6

References

[opensuse-security-announce] 20190213 [security-announce] openSUSE-SU-2019:0166-1: important: Security update for haproxy

Mailing List, Third Party Advisory

106645

Third Party Advisory, VDB Entry

RHBA-2019:0327

Third Party Advisory

RHSA-2019:0275

Third Party Advisory

3858-1

Third Party Advisory

[[email protected]] 20190108 [ANNOUNCE] haproxy-1.8.17

Mailing List, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.