Executive Summary

This vulnerability is an Improper Neutralization of CRLF Sequences issue in the benoitc hackney library. It allows HTTP Request Splitting because hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target.

Specifically, hackney_url:make_url/3 passes the query string directly without validating or escaping these characters, which should be percent-encoded according to RFC 3986 Section 3.4. An attacker who can control part or all of a URL passed to hackney can inject raw CRLF sequences into the query string, causing the HTTP request to be split or arbitrary HTTP headers to be injected.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to perform HTTP Request Splitting attacks. This means the attacker can inject arbitrary HTTP headers or split the HTTP request, potentially leading to security issues such as cache poisoning, cross-site scripting (XSS), session fixation, or other malicious behaviors depending on how the HTTP requests are processed downstream.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to inject arbitrary HTTP headers or split HTTP requests by exploiting improper neutralization of CRLF sequences in URLs processed by hackney. This can lead to unauthorized actions or data exposure.

Such unauthorized data exposure or manipulation of HTTP requests can potentially violate data protection and privacy regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or disclosure.

Therefore, systems using vulnerable versions of hackney that process untrusted URLs may face compliance risks if this vulnerability is exploited, as it undermines the integrity and confidentiality of HTTP communications.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves injection of raw carriage return (\r) and line feed (\n) characters in HTTP request query strings, leading to HTTP request splitting or header injection.

To detect exploitation attempts on your network or system, you can monitor HTTP requests for suspicious patterns such as unencoded CR or LF characters in URLs or unusual HTTP header injections.

• Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests containing %0d or %0a sequences or raw CR/LF characters in the query string.
• Example tcpdump command to capture HTTP requests with suspicious characters: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -iE '%0d|%0a|\r|\n'
• Inspect web server logs or application logs for malformed or split HTTP requests, or unexpected additional headers injected into requests.
• If you have access to the hackney client source or logs, check for error responses indicating invalid request targets, as the patched version rejects requests containing CR, LF, or NUL bytes.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the hackney library to version 4.0.1 or later, where this vulnerability has been fixed.

The fix includes validation that rejects any request targets containing raw carriage return, line feed, or NUL bytes before sending data over the network.

• Update your dependencies to hackney version 4.0.1 or newer.
• If immediate upgrade is not possible, implement input validation or sanitization on URLs passed to hackney to ensure CR and LF characters are percent-encoded.
• Monitor your systems for suspicious HTTP requests that may indicate exploitation attempts.
• Review and apply any patches or security advisories related to this vulnerability from the hackney project.

Useful 0 Not Useful 0