VSV00008 Varnish HTTP/1 Request Smuggling Vulnerability

CVE-2022-23959

Date: 2022-01-25

A request smuggling attack can be performed on HTTP/1 connections on Varnish Cache servers. The smuggled request would be treated as an additional request by the Varnish server, go through normal VCL processing, and injected as a spurious response on the client connection.

Identifying smuggled requests

Smuggled requests will show in the logs generated by Varnish as normal requests. It may be possible to identify the smuggled requests by comparing the Varnish logs with logs from any proxy software between the Varnish server and the client.

Versions affected

  • Varnish Cache releases 1.x, 2.x, 3.x, 4.x, 5.x, 6.0.x, 6.1.x, 6.2.x, 6.3.x, 6.4.x, 6.5.x, 6.6.0, 6.6.1, 7.0.0, 7.0.1.

  • Varnish Cache 6.0 LTS series up to and including 6.0.9.

  • All versions of Varnish Cache 4.1 LTS series.

Versions not affected

  • Varnish Cache 6.6.2 (released 2022-01-25)

  • Varnish Cache 7.0.2 (released 2022-01-25)

  • Varnish Cache 6.0 LTS version 6.0.10 (released 2022-01-25)

  • GitHub Varnish Cache master branch at commit 1020be7e886399a4e94407ae0dfbfd1475cc5756

Mitigation

If upgrading Varnish is not possible, it is possible to mitigate the problem by ensuring that the Varnish Server does not allow connection reuse on HTTP/1 client connections once a request body has been seen on the connection. To deploy the workaround, put the following VCL configuration towards the top of the VCL configuration:

sub vsv8 {
    if ((req.http.Content-Length || req.http.Transfer-Encoding) &&
      req.proto != "HTTP/2.0") {
        set resp.http.Connection = "close";
    }
}

sub vcl_synth { call vsv8; }
sub vcl_deliver { call vsv8; }

Credits

This problem was discovered and reported to us by James Kettle, Director of Research at PortSwigger. We wish to thank him for the responsible disclosure.