Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAOGQQ29AS8yQ+QxxWhuMhV0u9G6745Ra6FERTq-XyuWB6J0J-g@mail.gmail.com>
Date: Tue, 13 May 2025 14:01:22 -0300
From: Marco Benatto <mbenatto@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: VSV00016: Varnish Cache 6.0, 7.6, 7.7 - Request
 Smuggling Attack

Hello Asad,

Is any CVE already assigned after the announcement was sent? If not I
can provide a CVE identifier if needed.

Thanks,

Marco Benatto
Red Hat Product Security
secalert@...hat.com for urgent response

On Tue, May 13, 2025 at 12:23 PM Asad Ahmed <asadsa@...nish-software.com> wrote:
>
> Hello there,
>
> We released Varnish Cache 7.7.1, 7.6.3, and 6.0.14 yesterday (sorry for the
> delay).
>
> These releases fixes a vulnerability reported to us, which got the name
> VSV00016.
>
>
> *CVE*: Not assigned yet, expect a follow-up here.
>
> A client-side desync vulnerability can be triggered in Varnish Cache. This
> vulnerability can be triggered under specific circumstances involving
> malformed HTTP/1 chunked requests.
>
> An attacker can abuse a flaw in Varnish’s handling of chunked transfer
> encoding which allows certain malformed HTTP/1 requests to exploit improper
> framing of the message body to smuggle additional requests. Specifically,
> Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries.
> Impact <https://varnish-cache.org/security/VSV00016.html#impact>
>
> The primary risk of this vulnerability is enabling HTTP request smuggling
> attacks, which could have consequences for downstream systems. Specifically:
>
> *Cache Poisoning*: A downstream cache positioned in front of Varnish could
> cache incorrect or malicious content if it allows the aforementioned
> malformed HTTP/1 requests to pass through unhandled. This can lead to
> unintended responses being served to users, potentially exposing sensitive
> information or delivering harmful payloads.
>
> *Security Risks*: Bypass of WAF type products downstream from Varnish could
> be achieved if these products are configured to not inspect request bodies
> and in addition allow the aforementioned malformed HTTP/1 requests to pass
> through.
>
> The vulnerability has been given a severity rating of *low/medium*.
> Versions affected
> <https://varnish-cache.org/security/VSV00016.html#versions-affected>
>
>    -
>
>    Varnish Cache releases up to and including 7.7.0.
>    -
>
>    Varnish Cache 6.0 LTS series up to and including 6.0.13.
>
> Versions not affected
> <https://varnish-cache.org/security/VSV00016.html#versions-not-affected>
>
>    -
>
>    Varnish Cache 7.7.1 (released 2025-05-12)
>    -
>
>    Varnish Cache 7.6.3 (released 2025-05-12)
>    -
>
>    Varnish Cache 6.0 LTS version 6.0.14 (released 2025-05-12)
>
> Solution <https://varnish-cache.org/security/VSV00016.html#solution>
>
> The recommended solution is to upgrade Varnish to one of the versions where
> this issue has been resolved, and then ensure that Varnish is restarted.
> Thankyous and credits
> <https://varnish-cache.org/security/VSV00016.html#thankyous-and-credits>
>
> Ben Kallus at Dartmouth College for finding and reporting the issue to the
> project in a responsible manner.
> Nils Goroll (UPLEX), Dridi Boukelmoune (Varnish Software) and Poul-Henning
> Kamp for the patches.
> Varnish Software for handling this security incident.
>
> References:
>
> - https://varnish-cache.org/security/VSV00016.html#vsv00016
> - https://varnish-cache.org/security/index.html
> -
> https://varnish-cache.org/lists/pipermail/varnish-announce/2025-May/000767.html
> - https://github.com/varnishcache/varnish-cache
> - https://varnish-cache.org/releases/rel7.7.1.html#rel7-7-1
> - https://varnish-cache.org/releases/rel7.6.3.html#rel7-6-3
> - https://varnish-cache.org/releases/rel6.0.14.html#rel6-0-14
>
> --
> Asad

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.