Hello!

There is a new vendor-announcement regarding a request smuggling attack
- this time affects HTTP/1 connections. It's apparently affecting all
versions >= Stretch.

https://varnish-cache.org/security/VSV00008.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959

Best Regards,
Andreas

CVE-2022-23959 has meanwhile been rated as critical:
https://nvd.nist.gov/vuln/detail/CVE-2022-23959

Apparently it is rather easy to exploit:
http://cwe.mitre.org/data/definitions/444.html

Any ETA when a security-upgrade could become available?

Fixes for the vulnerability seem to be rather trivial:
https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4
https://github.com/varnishcache/varnish-cache/commit/1020be7e886399a4e94407ae0dfbfd1475cc5756

Cheers,
Andreas

I know we (or most of us) are volunteers working on Debian. But I have
to admit I'm a bit worried that we haven't patched this critical
cache-poisoning vulnerability in Varnish for one month (except in Debian
Stretch LTS).

Attached patches containing the fixes for CVE-2022-23959.

For Debian Buster I took them from the Varnish 6.0 LTS branch:

https://github.com/varnishcache/varnish-cache/commit/dcbe8b9ebf5b352e2534fc5645afa1d9747e9647
https://github.com/varnishcache/varnish-cache/commit/b8351f7f6231315f0fe00410b91893235eb29f57

For Debian Bullseye from the Varnish 6.6 branch:

https://github.com/varnishcache/varnish-cache/commit/9ed39d1f796369caafb647fe37b729c07f332327
https://github.com/varnishcache/varnish-cache/commit/ec531e16b9cd139bbf8971c5b306561c669681f4

Cheers,
Andreas

Hi,

Those updates were already prepared by Florian Weimer, but we need
someone using it to actually test the updates as it includes other CVE
fixes (namely CVE-2021-36740). If you are interested to test (yet
unofficial) debs, let us know, this might speed up a bit the DSA
release ;-)

Regards,
Salvatore

Hello Salvatore!

I'm not sure how to exploit this two flaws - so I probably can't verify
if the updates by Florian are then ultimately fixing the
security-issues. But I can verify that the updated software-packages
would basically work on some real-life systems. If that would already
help you - feel free to share :)

Regards,
Andreas

Hi Andreas,

Sorry for the delay, busy yesterday.

thank you!

Unofficial and amd64 only builds (including the source in case you
want to built it on your own) are at:

https://people.debian.org/~carnil/tmp/varnish/

Would be great if you can test the packages in production, even if not
explicitly for the two CVEs so we can get some more confidence.

Regards,
Salvatore

Hello Salvatore!

I've installed v6.1.1 packages on several of our Buster servers.
Apparently all the websites and portals hosted there are feeling well. I
tested access with HTTP2 as well as HTTP 1.1 only. Also continuously
firing 100 req/sec with locust against this patched Varnish works fine.

Shall I test the packages on Bullseye too (could do that on Monday), or
is Buster already enough?

Cheers,
Andreas

* Andreas Unterkircher:

It appreciate if you could test bullseye as well.  Thanks!

Have updated a server with Buster (on which I've tested Varnish
v6.1.1-1+deb10u3 before) to Bullseye and upgraded Varnish to
6.5.1-1+deb11u2.

The results are pretty much the same as with Buster.

The hosted pages work correctly with HTTP 1.1 trough Varnish.
The same for HTTP2.
Locust against Varnish with 100 req/sec gives stable results for 10min
testing.

user@host:~$ sudo varnishd -V
varnishd (varnish-6.5.1 revision
1dae23376bb5ea7a6b8e9e4b9ed95cdc9469fb64)
Copyright (c) 2006 Verdens Gang AS
Copyright (c) 2006-2020 Varnish Software
user@host:~$ sudo varnishstat  -n $(hostname) -1
MGT.uptime                1054         1.00 Management process uptime
MGT.child_start              1         0.00 Child process started
MGT.child_exit               0         0.00 Child process normal exit
MGT.child_stop               0         0.00 Child process unexpected
exit
MGT.child_died               0         0.00 Child process died (signal)
MGT.child_dump               0         0.00 Child process core dumped
MGT.child_panic              0         0.00 Child process panic
MAIN.summs               74450        70.57 stat summ operations
MAIN.uptime               1055         1.00 Child process uptime
MAIN.sess_conn           25393        24.07 Sessions accepted
MAIN.sess_fail               0         0.00 Session accept failures
MAIN.sess_fail_econnaborted            0         0.00 Session accept
failures: connection aborted
MAIN.sess_fail_eintr                   0         0.00 Session accept
failures: interrupted system call
MAIN.sess_fail_emfile                  0         0.00 Session accept
failures: too many open files
MAIN.sess_fail_ebadf                   0         0.00 Session accept
failures: bad file descriptor
MAIN.sess_fail_enomem                  0         0.00 Session accept
failures: not enough memory
MAIN.sess_fail_other                   0         0.00 Session accept
failures: other
MAIN.client_req_400                    0         0.00 Client requests
received, subject to 400 errors
MAIN.client_req_417                    0         0.00 Client requests
received, subject to 417 errors
MAIN.client_req                    35030        33.20 Good client
requests received
MAIN.cache_hit                     33703        31.95 Cache hits


Cheers,
Andreas

Hi Andreas,

Thanks a lot for your testing, this is very much appreciated!

Florian, should we go ahead with the DSA release?

Regards,
Salvatore

* Salvatore Bonaccorso:

We should, I'll look into it this evening.  Thanks for all the
testing!

We believe that the bug you reported is fixed in the latest version of
varnish, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1004433@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated varnish package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 13 Feb 2022 14:45:59 +0100
Source: varnish
Architecture: source
Version: 6.5.1-1+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Varnish Package Maintainers <team+varnish-team@tracker.debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Closes: 1004433
Changes:
 varnish (6.5.1-1+deb11u2) bullseye-security; urgency=medium
 .
   * Apply upstream patch to fix: VSV00008 Varnish HTTP/1 Request Smuggling
     Vulnerability (CVE-2022-23959).  (Closes: #1004433)
Checksums-Sha1:
 183bfeecf817e5fadbe76da8364aed87f8f3ef9e 2098 varnish_6.5.1-1+deb11u2.dsc
 1784291b975985b5c5929954e3fb176f4426507c 26036 varnish_6.5.1-1+deb11u2.debian.tar.xz
 bbd911533af004f985a9ee35cf1fedeb126d0170 9781 varnish_6.5.1-1+deb11u2_amd64.buildinfo
Checksums-Sha256:
 663c1a22bcae55ea6618354b77dab3f4718d77367890931c8153d183f0ace907 2098 varnish_6.5.1-1+deb11u2.dsc
 d5e1d17919ee22d709d7f5f9a657353222e62fe388b74ed13e9d83be94855935 26036 varnish_6.5.1-1+deb11u2.debian.tar.xz
 eab4007d621387994f0d572bfdca086cfa708b599a68a9a5f7c5dfaaa6e14b4a 9781 varnish_6.5.1-1+deb11u2_amd64.buildinfo
Files:
 12b443b92be54c45109d073efbac7249 2098 web optional varnish_6.5.1-1+deb11u2.dsc
 f1e2117e53f2b8b0f2753fb027ca3050 26036 web optional varnish_6.5.1-1+deb11u2.debian.tar.xz
 c35e7e45053deaf80a1a973104dfbb8f 9781 web optional varnish_6.5.1-1+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEyNPZz/qecFY/MvpUv3v/BALVJL4FAmIJE/sACgkQv3v/BALV
JL7uuAf+N1Zhbm9FZ3YzEImqPpVaO5rz0k3VBsxkc0uSwAlkkTkLfqC/rLIq0Nr7
r8LulgS2GnXRvEgl+w3NCt8Sioci/0vJidaK46JqHKdCrx3OiBwiV9oYKBNYMbj0
Oezi+5GnfC9h2u0yTf4crGJcCCbjFGDpeelytDaXGUfcfcVGFcIY5NlZG4Bd9rcr
nYALrWLCzkMcGU+8UNppGvC3dL825w7gGYNXvsaU04xHKwuVEtYrHdHzuTS8S/Jg
266Gdvnx0RZY6jQOm8IuJMc15fLC0aFKYi4fhL/tAN9LV/WJsAnhQkC7utKEMC4I
movV243rPl5iqZcBqfY7MrjNjGyYyQ==
=4CrA
-----END PGP SIGNATURE-----

We believe that the bug you reported is fixed in the latest version of
varnish, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1004433@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated varnish package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 13 Feb 2022 15:48:11 +0100
Source: varnish
Architecture: source
Version: 6.1.1-1+deb10u3
Distribution: buster-security
Urgency: medium
Maintainer: Varnish Package Maintainers <team+varnish-team@tracker.debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Closes: 1004433
Changes:
 varnish (6.1.1-1+deb10u3) buster-security; urgency=medium
 .
   * Apply upstream patch to fix: VSV00008 Varnish HTTP/1 Request Smuggling
     Vulnerability (CVE-2022-23959).  (Closes: #1004433)
Checksums-Sha1:
 7d00ea17d41a6892141aec740476ec5af9403085 2092 varnish_6.1.1-1+deb10u3.dsc
 09f542cb6870e243812593bbc89baf2a64e306c8 27288 varnish_6.1.1-1+deb10u3.debian.tar.xz
 2986da1de7acd25949b9d9ca2f97242bc6f3e60c 9504 varnish_6.1.1-1+deb10u3_amd64.buildinfo
Checksums-Sha256:
 efb075b05ca82443badba5b9a85b2b3bec7e05aefbad967f7a2711ba6608d4b3 2092 varnish_6.1.1-1+deb10u3.dsc
 98b7587780fe7225418a39c83abad2bc2638b261f97e72356accc45afd7b39f7 27288 varnish_6.1.1-1+deb10u3.debian.tar.xz
 cd828fc453747fdb9197ea970b0a4c9af3c07ea85d1ebec38d59ef314bcaf5c8 9504 varnish_6.1.1-1+deb10u3_amd64.buildinfo
Files:
 f1af789f84ad1c000ee1ffe6de81b892 2092 web optional varnish_6.1.1-1+deb10u3.dsc
 107ce2000044879cc19ab3fcf17861bb 27288 web optional varnish_6.1.1-1+deb10u3.debian.tar.xz
 6c56a3c2edbfd94ae4a2767a6e00063a 9504 web optional varnish_6.1.1-1+deb10u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEyNPZz/qecFY/MvpUv3v/BALVJL4FAmIJG+MACgkQv3v/BALV
JL4Agwf/aOyPYLFSObKm412Mksp0BjlhxUCYVb/VM/Yfr4Iw829sHoj97UV7oQvw
m+U/hTzD8Z5ezSHBJjPifLHpWgE2fDkf7fa8dEsOlusNys2kMWJ9WYP+GY3JA8aT
+ObTwF0yBebqnca+DnSFtr9VCv8ZvqSf7j2AXCWbPHrcHSKyZ3520r+QKz7hxr1I
30SC3RaCMh+W+VZPbRyeeXFyoIhQo2K4kGdn1lwE12C82l6aPNzcjTPAvwhgCDn8
4fqPspcAUQ6Itx1npw0sYAsCZtBTL2KB1zaD9GBlQlfdQWvEByxjkvngWAURaSJA
QzjweDFo+wJCoSD6ta5RDi4TSgGdlw==
=CAtn
-----END PGP SIGNATURE-----

close 1004433 7.1.0-4
thanks

Closed with upstream release 7.1.0