Search

Varnish HTTP/2 Request Forgery Security

Published November 8, 2022.

A request forgery attack can be performed on Varnish Cache and Varnish Cache Plus servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server.

This problem was discovered and reported to us by Martin van Kervel Smedshammer, Graduate Student at the University of Oslo. We wish to thank him for the responsible disclosure.

Versions affected

The potential impact is request forgery towards the backend.

Status

Affected software versions

  • Varnish Cache Plus 6.0 series up to and including 6.0.10r2.
  • Varnish Cache 6.0 LTS series up to and including 6.0.10.
  • Varnish Cache releases 5.x, 6.x, 7.0.x, 7.1.0, 7.1.1, 7.2.0.

Resolved in

  • Varnish Cache Plus 6.0.10r3 (released 2022-10-05)
  • Varnish Cache 6.0 LTS version 6.0.11 (released 2022-11-08)
  • Varnish Cache 7.2.1 (released 2022-11-08)
  • Varnish Cache 7.1.2 (released 2022-11-08)

Solution

The recommended solution is to upgrade Varnish to one of the versions where this issue has been resolved, and then ensure that Varnish is restarted.

Upgrading on RedHat and derivatives

You should already have configured the Varnish Cache Plus repository, so a normal upgrade will be enough:

$ sudo yum update varnish-plus
$ sudo systemctl restart varnish

Verify that the version that is installed is recent:

$ rpm -q varnish-plus
varnish-plus-6.0.10r3-1.el7.x86_64

Upgrading on Ubuntu and Debian

You should already have configured the Varnish Cache Plus repository, so a normal upgrade should be enough:

$ sudo apt-get update
$ sudo apt-get install --only-upgrade varnish-plus
$ sudo systemctl restart varnish

Verify that the version that is installed is recent:

$ dpkg -l varnish-plus
[...]
ii  varnish-plus                6.0.10r3-1~xenial   amd64              A supercharged version of the popular web cache, Varnish Cache

Workaround

If upgrading Varnish is not possible, it is possible to mitigate the problem by adding the following snippet at the beginning of the vcl_recv VCL function:

sub vcl_recv {
  if (req.url ~ "(^$)|[ \t]+" || req.method ~ "(^$)|[ \t]+") {
    return (synth(400));
  }
}

This VCL statement would test if the VCL variables filled in from incoming HTTP/2 pseudo-headers contains any of the problematic characters, and answer with a 400 “Bad request” synthetic response if found.

Timeline

2022-09-25

  • Original reporter contacts the security contacts of the Varnish Cache project about potential problems.

2022-09-26

  • Problem is confirmed.

2022-10-04

  • Varnish Software released patched Varnish Cache Plus version 6.0.10r3 to address the issue.

2022-11-08

  • Public disclosure and updated open source packages.

References