===================================================================== CERT-Renater Note d'Information No. 2022/VULN413 _____________________________________________________________________ DATE : 09/11/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Varnish Cache versions 5.x, 6.x, 7.0.x, 7.1.0, 7.1.1, 7.2.0, 6.0 LTS series up to and including 6.0.10. 6.0.x up to and including 6.0.10r2. ===================================================================== https://varnish-cache.org/lists/pipermail/varnish-announce/2022-November/000755.html https://varnish-cache.org/lists/pipermail/varnish-announce/2022-November/000756.html _____________________________________________________________________ VSV00011 Varnish HTTP/2 Request Forgery Vulnerability ===================================================== Date: 2022-11-08 A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server. Versions affected ----------------- * Varnish Cache releases 5.x, 6.x, 7.0.x, 7.1.0, 7.1.1, 7.2.0. * Varnish Cache 6.0 LTS series up to and including 6.0.10. * Varnish Cache Plus by Varnish Software 6.0.x up to and including 6.0.10r2. Versions not affected --------------------- * Varnish Cache 7.1.2 (released 2022-11-08) * Varnish Cache 7.2.1 (released 2022-11-08) * GitHub Varnish Cache master branch at commit 687ffb6452ba570778a83b6eb1df8ac1b31d9221 * Varnish Cache Plus by Varnish Software version 6.0.10r3. Mitigation ---------- If upgrading Varnish is not possible, it is possible to mitigate the problem by adding the following snippet at the beginning of the `vcl_recv` VCL function:: sub vcl_recv { if (req.url ~ "(^$)|[ \t]+" || req.method ~ "(^$)|[ \t]+") { return (synth(400)); } } This VCL statement would test if the VCL variables filled in from incoming HTTP/2 pseudo-headers contains any of the problematic characters, and answer with a 400 "Bad request" synthetic response if found. Credits ------- This problem was discovered and reported to us by Martin van Kervel Smedshammer, Graduate Student at the University of Oslo. We wish to thank him for the responsible disclosure. _____________________________________________________________________ VSV00010 Varnish Request Smuggling Vulnerability ================================================ Date: 2022-11-08 A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. Among the headers that can be filtered this way are both `Content-Length` and `Host`, making it possible for an attacker to both break the HTTP/1 protocol framing, and bypass request to host routing in VCL. Versions affected ----------------- * Varnish Cache releases 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.2.0 Versions not affected --------------------- * Varnish Cache 7.1.2 (released 2022-11-08) * Varnish Cache 7.2.1 (released 2022-11-08) * All versions of Varnish Cache 6.0 LTS series and Varnish Cache Plus by Varnish Software. * GitHub Varnish Cache master branch at commit e40007dfc2243fb5b3be9923f1ed22dfebb90002 Mitigation ---------- If upgrading Varnish is not possible, it is possible to mitigate the problem by adding the following snippet at the beginning of the `vcl_recv` VCL function:: sub vcl_recv { # Start of mitigation for VSV00010 # Tip: Expand the regular expression token list to allow # additional tokens, e.g. # "(close|keep-alive|te|upgrade|http2-settings|my-header)" if (regsuball(req.http.connection, "(?i)((close|keep-alive|te|upgrade|http2-settings)[ ,]*)", "") !~ "^[ ,]*$") { return (synth(400)); } } This VCL statement would ensure that any attempt to add anything but the frequently used tokens like `close`, `keep-alive`, `TE`, `Upgrade` and `HTTP2-Settings` in an incoming `Connection`-header would be answered with a 400 "Bad request" synthetic response. Note that some sites may need to allow other header names as tokens in the `Connection`-header to function properly. If that is the case for your site, add any additional headers needed like the commented tip suggests. Credits ------- This problem was discovered and reported to us by Martin van Kervel Smedshammer, Graduate Student at the University of Oslo. We wish to thank him for the responsible disclosure. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================