VSV00003 DoS attack vector


Date: 2019-09-03

An HTTP/1 parsing failure has been uncovered in Varnish Cache that will allow a remote attacker to trigger an assert in Varnish Cache by sending specially crafted HTTP/1 requests. The assert will cause Varnish to automatically restart with a clean cache, which makes it a Denial of Service attack.

The problem was uncovered by internal testing at Varnish Software. It has to the best of our knowledge not been exploited.

The following is required for a successful attack:

  • The attacker must be able to send multiple HTTP/1 requests processed on the same HTTP/1 keepalive connection.

Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache.

Versions affected

  • 6.1.0 and forward

  • 6.0 LTS by Varnish Software up to and including 6.0.3

Versions not affected

  • Versions prior to 6.1.0 contains parsing bugs that are requisites for successfully exploiting the issue, but these versions will not assert. This includes the end-of-lifed 4.1 LTS series.

Fixed in

  • 6.2.1

  • 6.0.4 LTS by Varnish Software

  • GitHub Varnish Cache master branch at commit 406b583fe54634afd029e7a41e35b3cf9ccac28a

Mitigation from VCL

See VSV00003 DoS attack vector VCL mitigation for information about mitigation through VCL.

Thankyous and credits

Alf-André Walla at Varnish Software for uncovering the problem.

Nils Goroll at UPLEX for patch review and VCL mitigation.

Varnish Software for handling this security incident.