579533 – (CVE-2009-2936) CVE-2009-2936 Varnish reverse proxy flaw

Bug 579533 (CVE-2009-2936) - CVE-2009-2936 Varnish reverse proxy flaw

Summary: CVE-2009-2936 Varnish reverse proxy flaw

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-2936
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	579536
Blocks:
TreeView+	depends on / blocked

Reported:	2010-04-05 18:50 UTC by Josh Bressers
Modified:	2019-09-29 12:36 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-11-28 00:12:17 UTC
Embargoed:

Attachments	(Terms of Use)

Description Josh Bressers 2010-04-05 18:50:09 UTC

** DISPUTED ** The Command Line Interface (aka Server CLI or
administration interface) in the master process in the reverse proxy
server in Varnish before 2.1.0 does not require authentication for
commands received through a TCP port, which allows remote attackers to
(1) execute arbitrary code via a vcl.inline directive that provides a
VCL configuration file containing inline C code; (2) change the
ownership of the master process via param.set, stop, and start
directives; (3) read the initial line of an arbitrary file via a
vcl.load directive; or (4) conduct cross-site request forgery (CSRF)
attacks that leverage a victim's location on a trusted network and
improper input validation of directives. NOTE: the vendor disputes
this report, saying that it is "fundamentally misguided and
pointless."

Reference: BUGTRAQ:20100329 Medium security hole in Varnish reverse proxy
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/510360/100/0/threaded
Reference: BUGTRAQ:20100329 Re: [Full-disclosure] Medium security hole in
Varnish reverse proxy
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/510368/100/0/threaded
Reference: MISC:http://www.varnish-cache.org/changeset/3865
Reference: MISC:http://www.varnish-cache.org/wiki/CLI

Comment 3 Fedora Update System 2010-04-15 13:00:16 UTC

varnish-2.1.0-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/varnish-2.1.0-2.fc13

Comment 4 Ingvar Hagelund 2014-11-28 00:12:17 UTC

This was fixed for epel6+ and fedora long time ago.

For varnish-2.0.6 on epel5, this "bug" is not available for remote attacks. The default configuration delivered for varnish on epel5 makes the admin port only available on 127.0.0.1 and ::1. To enable remote access, a varnish system admin will have to actively change the admin interface to a remotely available address and port.

Local users will still be able to access and change varnish as described without authorization.

As upstream disputes that this actually is a real world problem, I'm not going to do anything more on this bug, unless explicitly requested.

(If there are real world users with varnish on el5 systems, they are probably using a newer version of varnish already anyway.)

Ingvar

Note You need to log in before you can comment on or make changes to this bug.