VSV00002 Data leak - ‘-sfile’ Stevedore transient objects¶
Date: 2017-11-15
A wrong if statement in the varnishd source code means that synthetic objects in stevedores which over-allocate, may leak up to page size of data from a malloc(3) memory allocation.
In a unpredictable percentage of the cases where this condition arises, a segmentation fault will happen instead.
All the following conditions are required to trigger the problem:
- A -sfile or -spersistent stevedore must be configured
- A synthetic object must be created in vcl_backend_error{}
- The synthetic object ends up in the file or persistent stevedore.
For the third condition can arise in two different ways:
- The stevedore named Transient is configured as -sfile or -spersistent (The default is -smalloc)
- The default stevedore is -sfile or -spersistent and the synthetic object is given a TTL larger than the shortlived parameter (default: 10 seconds.)
It is not inconceiveable that an attack can provoke this situation on vulnerable varnishd instances, where the leaked memory contains confidential data and therefore we have classified this as a security vulnerability.
Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache.
Versions affected¶
- 4.1.0 to 5.2.0
Versions not affected¶
- All releases up to but not including 4.1.0
- Varnish Cache Plus from Varnish Software.
Fixed in¶
- 4.1.9 and forward
- 5.2.1 and forward
Mitigation from VCL¶
Do not configure the Transient storage with -sfile or -spersistent stevedores.
Do not assign ttls longer than the parameter shortlived in vcl_backend_error{}
Source code fix¶
Thankyous and credits¶
Github user @shamger submitted a fix for the segmentation fault issue.
Carlo Cannas of Altervista.org pointed out that the data-leak was a security issue.
Martin and Espen from Varnish Software has done most of the work on this security incident.
And yes: I apologize for getting the code wrong in the first place.
phk
