SearchWhen using the MSE4 cache storage engine (stevedore) in versions prior to 6.0.13r13, a buffer overflow vulnerability can be triggered in Varnish Enterprise. The vulnerability can be triggered when handling range requests on ephemeral (non-persisted) objects stored in the MSE4 stevedore, and may cause arbitrary data from the Varnish Enterprise server memory address space to be sent as response bytes to incoming client requests.
The vulnerability is caused by an incorrect buffer boundary calculation when handling range requests for starting byte offsets that happen to be in the middle of a buffer. A set of bytes (with length limited to the buffer size) from addresses after the object buffer may then be sent as regular response bytes to the request.
Note that this vulnerability only applies to instances of Varnish
Enterprise that are configured to use the MSE4 stevedore. MSE4 is the
newest iteration of the Massive Storage Engine component in Varnish
Enterprise. It is only setups that have been specifically configured to
use MSE4 (noted by a -s mse4 argument to varnishd) that are
vulnerable.
The primary risk of this vulnerability is information leakage, where unintended bytes from the address space of the Varnish Enterprise server is sent out as response bytes to a connecting client.
Due to the layout and allocation sizes used for memory buffers in MSE4, the unintended response bytes will likely consist of cached content from other unrelated objects that happen to be allocated at consecutive addresses after the requested object in the virtual address space of the process. Though the unintended bytes may also be from any internal data structure, including TLS certificates.
During our analysis we have not found any effective means for an attacker to control where in the address space of the server the unintended bytes are picked from, making it hard to create a tailored attack using the vulnerability to get access to specific content.
The vulnerability has been given a severity rating of high.
The recommended solution is to upgrade Varnish to one of the versions where this issue has been resolved, and then ensure that Varnish is restarted.
If it is inconvenient to update the Varnish Enterprise server to version 6.0.13r13, it is possible to apply a workaround in VCL. This workaround will disable range handling for cache hits on ephemeral objects in the cache. Please note that this will cause the Varnish Enterprise server to answer with a 200 (OK) status and the complete response body, instead of a 206 (Partial Content) response. This will cause an increase in response size for range requests.
To apply this workaround, first add import mse4; and import utils;
statements at the top of the VCL configuration (if needed) to import the
MSE4 control VMOD and the utility VMOD. Then add or edit the vcl_hit
function with the following:
sub vcl_hit {
# Disable range requests for MSE4 ephemeral objects
if (mse4.is_mse4() && !mse4.get_location(BOOK)) {
utils.http_range_support(false);
}
}
2025-02-07
2025-02-11
2025-02-14
2025-03-18