From martin at varnish-software.com Tue Nov 8 10:17:51 2022 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Tue, 8 Nov 2022 11:17:51 +0100 Subject: VSV00010 Varnish Request Smuggling Vulnerability Message-ID: VSV00010 Varnish Request Smuggling Vulnerability ================================================ Date: 2022-11-08 A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. Among the headers that can be filtered this way are both `Content-Length` and `Host`, making it possible for an attacker to both break the HTTP/1 protocol framing, and bypass request to host routing in VCL. Versions affected ----------------- * Varnish Cache releases 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.2.0 Versions not affected --------------------- * Varnish Cache 7.1.2 (released 2022-11-08) * Varnish Cache 7.2.1 (released 2022-11-08) * All versions of Varnish Cache 6.0 LTS series and Varnish Cache Plus by Varnish Software. * GitHub Varnish Cache master branch at commit e40007dfc2243fb5b3be9923f1ed22dfebb90002 Mitigation ---------- If upgrading Varnish is not possible, it is possible to mitigate the problem by adding the following snippet at the beginning of the `vcl_recv` VCL function:: sub vcl_recv { # Start of mitigation for VSV00010 # Tip: Expand the regular expression token list to allow # additional tokens, e.g. # "(close|keep-alive|te|upgrade|http2-settings|my-header)" if (regsuball(req.http.connection, "(?i)((close|keep-alive|te|upgrade|http2-settings)[ ,]*)", "") !~ "^[ ,]*$") { return (synth(400)); } } This VCL statement would ensure that any attempt to add anything but the frequently used tokens like `close`, `keep-alive`, `TE`, `Upgrade` and `HTTP2-Settings` in an incoming `Connection`-header would be answered with a 400 "Bad request" synthetic response. Note that some sites may need to allow other header names as tokens in the `Connection`-header to function properly. If that is the case for your site, add any additional headers needed like the commented tip suggests. Credits ------- This problem was discovered and reported to us by Martin van Kervel Smedshammer, Graduate Student at the University of Oslo. We wish to thank him for the responsible disclosure. -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at varnish-software.com Tue Nov 8 10:18:05 2022 From: martin at varnish-software.com (Martin Blix Grydeland) Date: Tue, 8 Nov 2022 11:18:05 +0100 Subject: VSV00011 Varnish HTTP/2 Request Forgery Vulnerability Message-ID: VSV00011 Varnish HTTP/2 Request Forgery Vulnerability ===================================================== Date: 2022-11-08 A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server. Versions affected ----------------- * Varnish Cache releases 5.x, 6.x, 7.0.x, 7.1.0, 7.1.1, 7.2.0. * Varnish Cache 6.0 LTS series up to and including 6.0.10. * Varnish Cache Plus by Varnish Software 6.0.x up to and including 6.0.10r2. Versions not affected --------------------- * Varnish Cache 7.1.2 (released 2022-11-08) * Varnish Cache 7.2.1 (released 2022-11-08) * GitHub Varnish Cache master branch at commit 687ffb6452ba570778a83b6eb1df8ac1b31d9221 * Varnish Cache Plus by Varnish Software version 6.0.10r3. Mitigation ---------- If upgrading Varnish is not possible, it is possible to mitigate the problem by adding the following snippet at the beginning of the `vcl_recv` VCL function:: sub vcl_recv { if (req.url ~ "(^$)|[ \t]+" || req.method ~ "(^$)|[ \t]+") { return (synth(400)); } } This VCL statement would test if the VCL variables filled in from incoming HTTP/2 pseudo-headers contains any of the problematic characters, and answer with a 400 "Bad request" synthetic response if found. Credits ------- This problem was discovered and reported to us by Martin van Kervel Smedshammer, Graduate Student at the University of Oslo. We wish to thank him for the responsible disclosure. -------------- next part -------------- An HTML attachment was scrubbed... URL: