SearchA base64 decoding vulnerability has been discovered in vmod-digest.
This problem was discovered by an external party and not reported responsibly to Varnish Software or the Varnish Cache project. Since we don’t know exactly how widespread the knowledge about this vulnerability is, we have acted as though it is public knowledge or at least easily available. This warranted a fast-tracked process between discovery and disclosure.
The potential outcome of the vulnerability can be both authentication bypass and information disclosure, however the exact attack surface will depend on the particular VCL configuration in use.
Common usage of vmod-digest is for basic HTTP authentication, in which case it may be possible for an attacker to circumvent the authentication check. If the decoded result string is somehow being made visible to the attacker (for example the result of the decoding is added to a response header), then there is the potential for information disclosure from reading out-of-band workspace data.
Note that the vulnerability is only exploitable if vmod-digest is loaded and one of the base64 decoding functions it provides is used.
The recommended solution is to upgrade vmod-digest to one of the versions where this issue has been resolved and then ensure that Varnish is restarted. For Varnish Enterprise, this is done as follows:
You should already have configured the Varnish Enterprise repository, so a normal upgrade will be enough:
$ sudo yum update varnish-plus
$ sudo systemctl restart varnish
You should already have configured the Varnish Enterprise repository, so a normal upgrade should be enough:
$ sudo apt-get update
$ sudo apt-get install --only-upgrade varnish-plus
$ sudo systemctl restart varnish
If upgrading Varnish is not possible, it is possible to mitigate the vulnerability using a VCL-based workaround.
Vmod-blob implements base64 decoding and this functionality is not affected by the issue in vmod-digest. The proposed workaround is to change VCL configurations which use vmod-digest for base64 decoding into using vmod-blob instead.
There are 3 affected functions in vmod-digest, each for decoding a different variant of base64. The functions are digest.base64_decode, digest.base64url_decode and digest.base64url_nopad_decode. Each invocation of these functions in the VCL needs to be changed into using the corresponding vmod-blob construct.
Please see the following examples for how to rewrite the VCL configuration, where each commented out usage of vmod-digest is followed by the similar construct using vmod-blob:
import blob;
sub vcl_recv {
# set req.http.decoded = digest.base64_decode(req.http.encoded);
set req.http.decoded = blob.transcode(BASE64, IDENTITY, encoded=req.http.encoded);
# set req.http.decoded = digest.base64url_decode(req.http.encoded);
set req.http.decoded = blob.transcode(BASE64URL, IDENTITY, encoded=req.http.encoded);
# set req.http.decoded = digest.base64url_nopad_decode(req.http.encoded);
set req.http.decoded = blob.transcode(BASE64URLNOPAD, IDENTITY, encoded=req.http.encoded);
}
2023-08-09
2023-08-10
2023-08-11
2023-08-14
2023-08-15
2023-08-16
2023-08-17