CVE CyberSecurity Database News

CVE-2024-49214 - Bypassing HAProxy’s IP Allow/Block List Using QUIC -RTT

Poster -

A new security flaw, CVE-2024-49214, was discovered in HAProxy—a popular open-source proxy and load balancer. This vulnerability allows attackers to bypass IP allow/block list protections when using QUIC -RTT connections under certain versions:

HAProxy 2.9.x (before 2.9.11)

The bug lets attackers spoof their IP address when initiating -RTT (Zero Round Trip Time) QUIC sessions, giving them unauthorized access even if their real IP is blocked.

What is QUIC -RTT?

QUIC is a fast, modern transport protocol developed by Google and now used in HTTP/3. The -RTT feature allows clients to send data to the server right after the first message, without waiting for a handshake. This makes connections faster—but also opens a door for replay and spoofing attacks if not implemented correctly.

How Does the Vulnerability Work?

Normally, web servers like HAProxy use IP allow/block lists for basic access control, denying connections from suspicious or unwanted IPs.

The bug here is:
When clients use QUIC’s -RTT feature, the server can get fooled about the client’s real IP address during the first phase of communication. As a result, the IP-based access rules may not trigger as expected, and attackers can sneak through.

Let’s suppose your HAProxy instance blocks IPs from 203..113./24

# /etc/haproxy/haproxy.cfg
frontend mysite
    bind :443 ssl crt /etc/haproxy/certs/
    # Only allow trusted subnet
    acl trusted_net src 192.168.1./24
    http-request deny if !trusted_net

With CVE-2024-49214, an attacker with an IP in 203..113.55 can start a QUIC -RTT session and bypass this rule because HAProxy mishandles the IP check during the session resumption.

Simple Exploit Outline

1. Initial Handshake: Attacker connects to HAProxy from a valid IP (possibly a botnet node), captures session resumption tokens.
2. Replay: Attacker uses these tokens to start a new -RTT session, but with a different (blocked) source IP.

Example: Python Pseudocode Using aioquic

from aioquic.asyncio import connect

# Step 1: Legitimately connect and get session ticket
async with connect(
    "haproxy.example.com", 443, configuration=quic_config
) as client:
    # Do handshake, save session resumption tickets
    save_ticket(client.session_ticket)

# Step 2: From blocked IP, use saved ticket to start -RTT session
quic_config.session_ticket = load_ticket()
async with connect(
    "haproxy.example.com", 443, configuration=quic_config, enable_rtt=True
) as client:
    # Immediately send request before full handshake completes
    client.send_data(b"My secret -RTT request")

You’d need to orchestrate network changes or proxies to appear as a different IP in step 2.

Patching and Mitigations

- Upgrade HAProxy to 3.1-dev7, 3..5, 2.9.11, or later (HAProxy Changelog)

`

- Always use strong mutual TLS to authenticate clients, not just IP allow/block lists.

References

- HAProxy Security Advisory
- Vendor Patch Notes
- QUIC -RTT RFC 900
- CVE Details - CVE-2024-49214

Conclusion

CVE-2024-49214 highlights why new protocols like QUIC need careful integration with existing security features. If you’re running HAProxy with QUIC support, update right away to ensure attackers can't sneak past your IP filters using -RTT session tricks.

Timeline

Published on: 10/14/2024 04:15:05 UTC
Last modified on: 10/15/2024 12:57:46 UTC