SearchA request smuggling attack can be performed on Varnish Cache and Varnish Cache Plus servers that have the HTTP/2 protocol enabled. The smuggled requests do not go through normal VCL processing, and any authorization steps implemented in VCL would be bypassed.
The responses to the smuggled requests can under some circumstances also be obtained by the attacker. Also, it may be possible for an attacker to use this for cache poisoning, where the response to a smuggled request is inserted as the cached content.
This problem was discovered by Martin Blix Grydeland of Varnish Software.
The potential impact is information disclosure and cache poisoning.
The recommended solution is to upgrade Varnish to one of the versions where this issue has been resolved, and then ensure that Varnish is restarted.
You should already have configured the Varnish Enterprise repository, so a normal upgrade will be enough:
sudo yum update varnish-plus
sudo systemctl restart varnish
Verify that the version that is installed is recent:
rpm -q varnish-plus
varnish-plus-6.0.8r3-1.el7.x86_64
You should already have configured the Varnish Enterprise repository, so a normal upgrade should be enough:
sudo apt-get update
sudo apt-get install --only-upgrade varnish-plus
sudo systemctl restart varnish
Verify that the version that is installed is recent:
dpkg -l varnish-plus
[...]
ii varnish-plus 6.0.8r3-1~xenial amd64 A supercharged version of the popular web cache, Varnish Cache
The problem only affects servers that have HTTP/2 support enabled. This support can be turned off at runtime. To disable HTTP/2 on a server do:
sudo varnishadm param.set feature -http2
To verify that HTTP/2 is disabled on a server, execute this command and
make sure the current value does not list http2:
sudo varnishadm param.show feature
When using in-core TLS termination, this will also remove h2 as a
supported protocol advertised through ALPN.
When using Hitch (or any other TLS termination proxy) in front of Varnish
to handle TLS termination, it is also necessary unlist the h2 token as a
possible protocol in the ALPN advertisement sent to connecting clients.
To unlist h2 as a support protocol in Hitch, remove or comment out the
line stating alpn-protos = "h2, http/1.1" in your Hitch configuration
file. Then restart the Hitch service (reload is not sufficient).
On compliant backends it is possible to prevent the execution of smuggled
requests by disabling connection reuse of backend requests. Note that for
this workaround to be effective, it relies on the backend to refuse any
additional requests after seeing a Connection: close header.
To disable backend connection reuse, add a Connection: close header on
the outgoing backend requests:
sub vcl_backend_fetch {
set bereq.http.Connection = "close";
}
Smuggled requests will not show in any logs generated by Varnish, but
would show in the backend logs. It may be possible to identify the
smuggled requests in the backend logs by missing Varnish inserted
artifacts, like the X-Varnish header. Though a determined attacker may
spoof these artifacts in the smuggled requests.
2021-05-31
2021-06-11
2021-06-15
2021-07-13