CVE-2022-23959: Varnish Cache Request Smuggling Vulnerability & Exploit Details
In this post, we will discuss a security vulnerability, identified as CVE-2022-23959, that exists in Varnish Cache and Varnish Enterprise (Cache Plus). This vulnerability allows request smuggling to occur for HTTP/1 connections. Affected versions include Varnish Cache before 6.6.2 and 7.x before 7..2, Varnish Cache 6. LTS before 6..10, and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6..x before 6..9r4.
Varnish Cache (https://www.varnish-cache.org/) is a popular open-source caching HTTP reverse proxy that serves to improve website performance significantly. It is crucial to raise awareness of this vulnerability so that those utilizing Varnish Cache can update their installations and prevent potential attacks.
Severity: High
- CVSS Score: 7.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L)
Vulnerability Description
The vulnerability CVE-2022-23959 is a request smuggling issue that could allow an attacker to send specially crafted HTTP requests to bypass access control mechanisms or forge web application log entries, ultimately leading to privilege escalation or session hijacking.
Request smuggling involves sending ambiguous HTTP requests to web applications and persuading the web server and proxy server to interpret the requests differently. This discrepancy can enable an attacker to conceal nefarious activities and manipulate the application.
Here's an example of crafted HTTP request exploiting request smuggling vulnerability
POST / HTTP/1.1
Host: vulnerable.example
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Transfer-Encoding: chunked
GET /sensitive_data HTTP/1.1
Host: vulnerable.example
In the example above, there's a combination of both 'Content-Length' and 'Transfer-Encoding' headers, which leads to a conflict in the way the request is interpreted by the server and the proxy server. As a result, the attacker may gain access to sensitive information, execute arbitrary commands, or perform other malicious activities.
Solution & Mitigation
To resolve the CVE-2022-23959 vulnerability, it is crucial to update your Varnish Cache or Varnish Enterprise (Cache Plus) installations to the latest available versions. Here are the fixed versions:
Varnish Enterprise (Cache Plus) 6..x 6..9r4
You can download the latest releases from the official Varnish Cache website: https://www.varnish-cache.org/releases/
Additionally, it is wise to implement proper access control policies, conduct regular security reviews and audits, and employ appropriate server configurations to prevent such vulnerabilities in the future.
Conclusion
This article provided an in-depth look at the CVE-2022-23959 vulnerability in Varnish Cache and Varnish Enterprise (Cache Plus) that allows attackers to perform request smuggling on HTTP/1 connections.If you are using Varnish Cache or Varnish Enterprise (Cache Plus) in your environment, it's crucial to update to the latest versions and take necessary precautions to avoid potential attacks.
Timeline
Published on: 01/26/2022 01:15:00 UTC
Last modified on: 08/02/2022 19:35:00 UTC