SynopsisThe remote Debian host is missing one or more security-related updates.
DescriptionThe remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3034 advisory.
- An out-of-bounds read in dns_validate_dns_response in dns.c was discovered in HAProxy through 1.8.14. Due to a missing check when validating DNS responses, remote attackers might be able read the 16 bytes corresponding to an AAAA record from the non-initialized part of the buffer, possibly accessing anything that was left on the stack, or even past the end of the 8193-byte buffer, depending on the value of accepted_payload_size. (CVE-2018-20102)
- An issue was discovered in dns.c in HAProxy through 1.8.14. In the case of a compressed pointer, a crafted packet can trigger infinite recursion by making the pointer point to itself, or create a long chain of valid pointers resulting in stack exhaustion. (CVE-2018-20103)
- A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the chunked value were not being correctly rejected. The impact was limited but if combined with the http-reuse always setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade the haproxy packages.
For Debian 9 stretch, these problems have been fixed in version 1.7.5-2+deb9u1.
File Name: debian_DLA-3034.nasl
Supported Sensors: Frictionless Assessment Agent, Nessus Agent
Temporal Vector: E:U/RL:OF/RC:C
Temporal Vector: E:U/RL:O/RC:C
CPE: p-cpe:/a:debian:debian_linux:haproxy, p-cpe:/a:debian:debian_linux:haproxy-doc, p-cpe:/a:debian:debian_linux:vim-haproxy, cpe:/o:debian:debian_linux:9.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 5/30/2022
Vulnerability Publication Date: 12/12/2018