Search

Base64 decoding vulnerability in vmod-digest Security

Published August 17, 2023.

A base64 decoding vulnerability has been discovered in vmod-digest.

This problem was discovered by an external party and not reported responsibly to Varnish Software or the Varnish Cache project. Since we don’t know exactly how widespread the knowledge about this vulnerability is, we have acted as though it is public knowledge or at least easily available. This warranted a fast-tracked process between discovery and disclosure.

Impact

The potential outcome of the vulnerability can be both authentication bypass and information disclosure, however the exact attack surface will depend on the particular VCL configuration in use.

Common usage of vmod-digest is for basic HTTP authentication, in which case it may be possible for an attacker to circumvent the authentication check. If the decoded result string is somehow being made visible to the attacker (for example the result of the decoding is added to a response header), then there is the potential for information disclosure from reading out-of-band workspace data.

Versions affected

Affected software versions

  • vmod-digest shipped with Varnish Enterprise 6.0 series up to and including 6.0.11r4.
  • vmod-digest for Varnish Cache 6.0 LTS built on upstream source code prior to 2023-08-17.
  • vmod-digest for Varnish Cache trunk built on upstream source code prior to 2023-08-17.

Note that the vulnerability is only exploitable if vmod-digest is loaded and one of the base64 decoding functions it provides is used.

Resolved in

  • vmod-digest shipped with Varnish Enterprise 6.0.11r5 (released 2023-08-14).
  • vmod-digest for Varnish Cache 6.0 LTS built on upstream source code from 2023-08-17 and later.
  • vmod-digest for Varnish Cache trunk built on upstream source code from 2023-08-17 and later.

Solution

The recommended solution is to upgrade vmod-digest to one of the versions where this issue has been resolved and then ensure that Varnish is restarted. For Varnish Enterprise, this is done as follows:

Upgrading on RedHat and derivatives

You should already have configured the Varnish Enterprise repository, so a normal upgrade will be enough:

$ sudo yum update varnish-plus
$ sudo systemctl restart varnish

Upgrading on Ubuntu and Debian

You should already have configured the Varnish Enterprise repository, so a normal upgrade should be enough:

$ sudo apt-get update
$ sudo apt-get install --only-upgrade varnish-plus
$ sudo systemctl restart varnish

Workaround

If upgrading Varnish is not possible, it is possible to mitigate the vulnerability using a VCL-based workaround.

Vmod-blob implements base64 decoding and this functionality is not affected by the issue in vmod-digest. The proposed workaround is to change VCL configurations which use vmod-digest for base64 decoding into using vmod-blob instead.

There are 3 affected functions in vmod-digest, each for decoding a different variant of base64. The functions are digest.base64_decode, digest.base64url_decode and digest.base64url_nopad_decode. Each invocation of these functions in the VCL needs to be changed into using the corresponding vmod-blob construct.

Please see the following examples for how to rewrite the VCL configuration, where each commented out usage of vmod-digest is followed by the similar construct using vmod-blob:

import blob;
sub vcl_recv {
	# set req.http.decoded = digest.base64_decode(req.http.encoded);
	set req.http.decoded = blob.transcode(BASE64, IDENTITY, encoded=req.http.encoded);

	# set req.http.decoded = digest.base64url_decode(req.http.encoded);
	set req.http.decoded = blob.transcode(BASE64URL, IDENTITY, encoded=req.http.encoded);

	# set req.http.decoded = digest.base64url_nopad_decode(req.http.encoded);
	set req.http.decoded = blob.transcode(BASE64URLNOPAD, IDENTITY, encoded=req.http.encoded);
}

Timeline

2023-08-09

  • A customer let us know that they received detailed information about a “Varnish base64 vulnerability” from an external party. This information was attached to an NDA, which unfortunately made it impossible for our customer to share any details with Varnish Software or the Varnish Cache project. Based on this limited information, we started a search for a potential vulnerability.

2023-08-10

  • A vulnerability is identified in vmod-digest.

2023-08-11

  • Preliminary patch set to address the issue is developed.

2023-08-14

  • Varnish Software released Varnish Enterprise version 6.0.11r5 to address the issue.

2023-08-15

  • Varnish Software prepared patches for the various open source upstream git branches for vmod-digest.

2023-08-16

  • We managed to establish contact with the external party that shared the information initially. We will use this opportunity to ensure that the handling of similar issues in the future are conducted according to best practices.

2023-08-17

  • Public disclosure released and patches pushed to the vmod-digest FOSS repository.

References

Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
News
Varnish Enterprise 6.0.12r8
Varnish Helm Chart 1.3.0
A note on how Varnish handles an HTTP/2 CONTINUATION flood
Varnish Enterprise 6.0.12r7
Varnish Controller 6.0.2
News archive