VSV00011 Varnish HTTP/2 Request Forgery Vulnerability

[Martin Blix Grydeland]

VSV00011 Varnish HTTP/2 Request Forgery Vulnerability
=====================================================

Date: 2022-11-08

A request forgery attack can be performed on Varnish Cache servers that
have the HTTP/2 protocol turned on. An attacker may introduce characters
through the HTTP/2 pseudo-headers that are invalid in the context of an
HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1
requests to the backend. This may in turn be used to successfully exploit
vulnerabilities in a server behind the Varnish server.

Versions affected
-----------------

* Varnish Cache releases 5.x, 6.x, 7.0.x, 7.1.0, 7.1.1, 7.2.0.

* Varnish Cache 6.0 LTS series up to and including 6.0.10.

* Varnish Cache Plus by Varnish Software 6.0.x up to and including 6.0.10r2.

Versions not affected
---------------------

* Varnish Cache 7.1.2 (released 2022-11-08)

* Varnish Cache 7.2.1 (released 2022-11-08)

* GitHub Varnish Cache master branch at commit
687ffb6452ba570778a83b6eb1df8ac1b31d9221

* Varnish Cache Plus by Varnish Software version 6.0.10r3.

Mitigation
----------

If upgrading Varnish is not possible, it is possible to mitigate the
problem by adding the following snippet at the beginning of the `vcl_recv`
VCL function::

  sub vcl_recv {
      if (req.url ~ "(^$)|[ \t]+" || req.method ~ "(^$)|[ \t]+") {
          return (synth(400));
      }
  }

This VCL statement would test if the VCL variables filled in from incoming
HTTP/2 pseudo-headers contains any of the problematic characters, and
answer with a 400 "Bad request" synthetic response if found.

Credits
-------

This problem was discovered and reported to us by Martin van Kervel
Smedshammer, Graduate Student at the University of Oslo. We wish to thank
him for the responsible disclosure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-announce/attachments/20221108/8eac25c2/attachment.html>