VSV00010 Varnish Request Smuggling Vulnerability

Martin Blix Grydeland martin at varnish-software.com
Tue Nov 8 10:17:51 UTC 2022

VSV00010 Varnish Request Smuggling Vulnerability

Date: 2022-11-08

A request smuggling attack can be performed on Varnish Cache servers by
requesting that certain headers are made hop-by-hop, preventing the
Varnish Cache servers from forwarding critical headers to the
backend. Among the headers that can be filtered this way are both
`Content-Length` and `Host`, making it possible for an attacker to both
break the HTTP/1 protocol framing, and bypass request to host routing
in VCL.

Versions affected

* Varnish Cache releases 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.2.0

Versions not affected

* Varnish Cache 7.1.2 (released 2022-11-08)

* Varnish Cache 7.2.1 (released 2022-11-08)

* All versions of Varnish Cache 6.0 LTS series and Varnish Cache Plus by
  Varnish Software.

* GitHub Varnish Cache master branch at commit


If upgrading Varnish is not possible, it is possible to mitigate the
problem by adding the following snippet at the beginning of the `vcl_recv`
VCL function::

  sub vcl_recv {
      # Start of mitigation for VSV00010
      # Tip: Expand the regular expression token list to allow
      # additional tokens, e.g.
      # "(close|keep-alive|te|upgrade|http2-settings|my-header)"
      if (regsuball(req.http.connection,
          "(?i)((close|keep-alive|te|upgrade|http2-settings)[ ,]*)", "") !~
"^[ ,]*$") {
          return (synth(400));

This VCL statement would ensure that any attempt to add anything but the
frequently used tokens like `close`, `keep-alive`, `TE`, `Upgrade` and
`HTTP2-Settings` in an incoming `Connection`-header would be answered with
a 400 "Bad request" synthetic response.

Note that some sites may need to allow other header names as tokens in the
`Connection`-header to function properly. If that is the case for your
site, add any additional headers needed like the commented tip suggests.


This problem was discovered and reported to us by Martin van Kervel
Smedshammer, Graduate Student at the University of Oslo. We wish to thank
him for the responsible disclosure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-announce/attachments/20221108/a8a209e6/attachment-0001.html>

More information about the varnish-announce mailing list