Bug 579533 (CVE-2009-2936)

Summary: CVE-2009-2936 Varnish reverse proxy flaw
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ingvar, jrusnack
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-28 00:12:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 579536    
Bug Blocks:    

Description Josh Bressers 2010-04-05 18:50:09 UTC 
** DISPUTED ** The Command Line Interface (aka Server CLI or
administration interface) in the master process in the reverse proxy
server in Varnish before 2.1.0 does not require authentication for
commands received through a TCP port, which allows remote attackers to
(1) execute arbitrary code via a vcl.inline directive that provides a
VCL configuration file containing inline C code; (2) change the
ownership of the master process via param.set, stop, and start
directives; (3) read the initial line of an arbitrary file via a
vcl.load directive; or (4) conduct cross-site request forgery (CSRF)
attacks that leverage a victim's location on a trusted network and
improper input validation of directives. NOTE: the vendor disputes
this report, saying that it is "fundamentally misguided and
pointless."

Reference: BUGTRAQ:20100329 Medium security hole in Varnish reverse proxy
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/510360/100/0/threaded
Reference: BUGTRAQ:20100329 Re: [Full-disclosure] Medium security hole in
Varnish reverse proxy
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/510368/100/0/threaded
Reference: MISC:http://www.varnish-cache.org/changeset/3865
Reference: MISC:http://www.varnish-cache.org/wiki/CLI
Comment 3 Fedora Update System 2010-04-15 13:00:16 UTC 
varnish-2.1.0-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/varnish-2.1.0-2.fc13
Comment 4 Ingvar Hagelund 2014-11-28 00:12:17 UTC 
This was fixed for epel6+ and fedora long time ago.

For varnish-2.0.6 on epel5, this "bug" is not available for remote attacks. The default configuration delivered for varnish on epel5 makes the admin port only available on 127.0.0.1 and ::1. To enable remote access, a varnish system admin will have to actively change the admin interface to a remotely available address and port.

Local users will still be able to access and change varnish as described without authorization.

As upstream disputes that this actually is a real world problem, I'm not going to do anything more on this bug, unless explicitly requested.

(If there are real world users with varnish on el5 systems, they are probably using a newer version of varnish already anyway.)

Ingvar