VSV00003 - DoS attack vector

Tue Sep 3 10:12:56 UTC 2019

VSV00003 DoS attack vector
==========================

Date: 2019-09-03

An HTTP/1 parsing failure has been uncovered in Varnish Cache that will
allow a remote attacker to trigger an assert in Varnish Cache by sending
specially crafted HTTP/1 requests. The assert will cause Varnish to
automatically restart with a clean cache, which makes it a Denial of
Service attack.

The problem was uncovered by internal testing at Varnish Software. It has
to the best of our knowledge not been exploited.

The following is required for a successful attack:

* The attacker must be able to send multiple HTTP/1 requests processed on
  the same HTTP/1 keepalive connection.

Mitigation is possible from VCL or by updating to a fixed version
of Varnish Cache.

Versions affected
-----------------

* 6.1.0 and forward
* 6.0 LTS by Varnish Software up to and including 6.0.3

Versions not affected
---------------------

* Versions prior to 6.1.0 contains parsing bugs that are requisites for
  successfully exploiting the issue, but these versions will not
  assert. This includes the end-of-lifed 4.1 LTS series.

Fixed in
--------

* 6.2.1
* 6.0.4 LTS by Varnish Software
* GitHub Varnish Cache master branch at commit
406b583fe54634afd029e7a41e35b3cf9ccac28a

Mitigation from VCL
-------------------

See :ref:`VSV00003-mitigation` for information about mitigation
through VCL.

Thankyous and credits
---------------------

Alf-André Walla at Varnish Software for uncovering the problem.

Nils Goroll at UPLEX for patch review and VCL mitigation.

Varnish Software for handling this security incident.

Regards,
Martin Blix Grydeland

-- 
<http://varnish-software.com> *Martin Blix Grydeland*
Senior Developer | Varnish Software
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-announce/attachments/20190903/af681842/attachment-0001.html>