VSV00010 Varnish Request Smuggling Vulnerability

Martin Blix Grydeland martin at varnish-software.com
Tue Nov 8 10:17:51 UTC 2022 

VSV00010 Varnish Request Smuggling Vulnerability
================================================

Date: 2022-11-08

A request smuggling attack can be performed on Varnish Cache servers by
requesting that certain headers are made hop-by-hop, preventing the
Varnish Cache servers from forwarding critical headers to the
backend. Among the headers that can be filtered this way are both
`Content-Length` and `Host`, making it possible for an attacker to both
break the HTTP/1 protocol framing, and bypass request to host routing
in VCL.

Versions affected
-----------------

* Varnish Cache releases 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.2.0

Versions not affected
---------------------

* Varnish Cache 7.1.2 (released 2022-11-08)

* Varnish Cache 7.2.1 (released 2022-11-08)

* All versions of Varnish Cache 6.0 LTS series and Varnish Cache Plus by
  Varnish Software.

* GitHub Varnish Cache master branch at commit
e40007dfc2243fb5b3be9923f1ed22dfebb90002

Mitigation
----------

If upgrading Varnish is not possible, it is possible to mitigate the
problem by adding the following snippet at the beginning of the `vcl_recv`
VCL function::

  sub vcl_recv {
      # Start of mitigation for VSV00010
      # Tip: Expand the regular expression token list to allow
      # additional tokens, e.g.
      # "(close|keep-alive|te|upgrade|http2-settings|my-header)"
      if (regsuball(req.http.connection,
          "(?i)((close|keep-alive|te|upgrade|http2-settings)[ ,]*)", "") !~
"^[ ,]*$") {
          return (synth(400));
      }
  }

This VCL statement would ensure that any attempt to add anything but the
frequently used tokens like `close`, `keep-alive`, `TE`, `Upgrade` and
`HTTP2-Settings` in an incoming `Connection`-header would be answered with
a 400 "Bad request" synthetic response.

Note that some sites may need to allow other header names as tokens in the
`Connection`-header to function properly. If that is the case for your
site, add any additional headers needed like the commented tip suggests.

Credits
-------

This problem was discovered and reported to us by Martin van Kervel
Smedshammer, Graduate Student at the University of Oslo. We wish to thank
him for the responsible disclosure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-announce/attachments/20221108/a8a209e6/attachment-0001.html>

More information about the varnish-announce mailing list