VSV00002 Data leak - ‘-sfile’ Stevedore transient objects¶
Date: 2017-11-15
A wrong if statement in the varnishd source code means that synthetic objects in stevedores which over-allocate, may leak up to page size of data from a malloc(3) memory allocation.
In a unpredictable percentage of the cases where this condition arises, a segmentation fault will happen instead.
All the following conditions are required to trigger the problem:
A -sfile or -spersistent stevedore must be configured
A synthetic object must be created in vcl_backend_error{}
The synthetic object ends up in the file or persistent stevedore.
For the third condition can arise in two different ways:
The stevedore named Transient is configured as -sfile or -spersistent (The default is -smalloc)
The default stevedore is -sfile or -spersistent and the synthetic object is given a TTL larger than the shortlived parameter (default: 10 seconds.)
It is not inconceiveable that an attack can provoke this situation on vulnerable varnishd instances, where the leaked memory contains confidential data and therefore we have classified this as a security vulnerability.
Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache.
Versions affected¶
4.1.0 to 5.2.0
Versions not affected¶
All releases up to but not including 4.1.0
Varnish Cache Plus from Varnish Software.
Fixed in¶
4.1.9 and forward
5.2.1 and forward
Mitigation from VCL¶
Do not configure the Transient storage with -sfile or -spersistent stevedores.
Do not assign ttls longer than the parameter shortlived in vcl_backend_error{}
Source code fix¶
Thankyous and credits¶
Github user @shamger submitted a fix for the segmentation fault issue.
Carlo Cannas of Altervista.org pointed out that the data-leak was a security issue.
Martin and Espen from Varnish Software has done most of the work on this security incident.
And yes: I apologize for getting the code wrong in the first place.
phk
