** DISPUTED ** The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless." Reference: BUGTRAQ:20100329 Medium security hole in Varnish reverse proxy Reference: URL:http://www.securityfocus.com/archive/1/archive/1/510360/100/0/threaded Reference: BUGTRAQ:20100329 Re: [Full-disclosure] Medium security hole in Varnish reverse proxy Reference: URL:http://www.securityfocus.com/archive/1/archive/1/510368/100/0/threaded Reference: MISC:http://www.varnish-cache.org/changeset/3865 Reference: MISC:http://www.varnish-cache.org/wiki/CLI
varnish-2.1.0-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/varnish-2.1.0-2.fc13
This was fixed for epel6+ and fedora long time ago. For varnish-2.0.6 on epel5, this "bug" is not available for remote attacks. The default configuration delivered for varnish on epel5 makes the admin port only available on 127.0.0.1 and ::1. To enable remote access, a varnish system admin will have to actively change the admin interface to a remotely available address and port. Local users will still be able to access and change varnish as described without authorization. As upstream disputes that this actually is a real world problem, I'm not going to do anything more on this bug, unless explicitly requested. (If there are real world users with varnish on el5 systems, they are probably using a newer version of varnish already anyway.) Ingvar