VSV00003 DoS attack vector¶
Date: 2019-09-03
An HTTP/1 parsing failure has been uncovered in Varnish Cache that will allow a remote attacker to trigger an assert in Varnish Cache by sending specially crafted HTTP/1 requests. The assert will cause Varnish to automatically restart with a clean cache, which makes it a Denial of Service attack.
The problem was uncovered by internal testing at Varnish Software. It has to the best of our knowledge not been exploited.
The following is required for a successful attack:
The attacker must be able to send multiple HTTP/1 requests processed on the same HTTP/1 keepalive connection.
Mitigation is possible from VCL or by updating to a fixed version of Varnish Cache.
Versions affected¶
6.1.0 and forward
6.0 LTS by Varnish Software up to and including 6.0.3
Versions not affected¶
Versions prior to 6.1.0 contains parsing bugs that are requisites for successfully exploiting the issue, but these versions will not assert. This includes the end-of-lifed 4.1 LTS series.
Fixed in¶
6.2.1
6.0.4 LTS by Varnish Software
GitHub Varnish Cache master branch at commit 406b583fe54634afd029e7a41e35b3cf9ccac28a
Mitigation from VCL¶
See VSV00003 DoS attack vector VCL mitigation for information about mitigation through VCL.
Thankyous and credits¶
Alf-André Walla at Varnish Software for uncovering the problem.
Nils Goroll at UPLEX for patch review and VCL mitigation.
Varnish Software for handling this security incident.
