CVE-2022-23959: Varnish Cache Request Smuggling Vulnerability & Exploit Details

In this post, we will discuss a security vulnerability, identified as CVE-2022-23959, that exists in Varnish Cache and Varnish Enterprise (Cache Plus). This vulnerability allows request smuggling to occur for HTTP/1 connections. Affected versions include Varnish Cache before 6.6.2 and 7.x before 7..2, Varnish Cache 6. LTS before 6..10, and Varnish Enterprise (Cache Plus) 4.1.x before 4.1.11r6 and 6..x before 6..9r4.

Varnish Cache (https://www.varnish-cache.org/) is a popular open-source caching HTTP reverse proxy that serves to improve website performance significantly. It is crucial to raise awareness of this vulnerability so that those utilizing Varnish Cache can update their installations and prevent potential attacks.

Severity: High

- CVSS Score: 7.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L)

Vulnerability Description

The vulnerability CVE-2022-23959 is a request smuggling issue that could allow an attacker to send specially crafted HTTP requests to bypass access control mechanisms or forge web application log entries, ultimately leading to privilege escalation or session hijacking.

Request smuggling involves sending ambiguous HTTP requests to web applications and persuading the web server and proxy server to interpret the requests differently. This discrepancy can enable an attacker to conceal nefarious activities and manipulate the application.

Here's an example of crafted HTTP request exploiting request smuggling vulnerability

POST / HTTP/1.1
Host: vulnerable.example
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Transfer-Encoding: chunked



GET /sensitive_data HTTP/1.1
Host: vulnerable.example

In the example above, there's a combination of both 'Content-Length' and 'Transfer-Encoding' headers, which leads to a conflict in the way the request is interpreted by the server and the proxy server. As a result, the attacker may gain access to sensitive information, execute arbitrary commands, or perform other malicious activities.

Solution & Mitigation

To resolve the CVE-2022-23959 vulnerability, it is crucial to update your Varnish Cache or Varnish Enterprise (Cache Plus) installations to the latest available versions. Here are the fixed versions:

Varnish Enterprise (Cache Plus) 6..x 6..9r4

You can download the latest releases from the official Varnish Cache website: https://www.varnish-cache.org/releases/

Additionally, it is wise to implement proper access control policies, conduct regular security reviews and audits, and employ appropriate server configurations to prevent such vulnerabilities in the future.

Conclusion

This article provided an in-depth look at the CVE-2022-23959 vulnerability in Varnish Cache and Varnish Enterprise (Cache Plus) that allows attackers to perform request smuggling on HTTP/1 connections.If you are using Varnish Cache or Varnish Enterprise (Cache Plus) in your environment, it's crucial to update to the latest versions and take necessary precautions to avoid potential attacks.

Timeline

Published on: 01/26/2022 01:15:00 UTC
Last modified on: 08/02/2022 19:35:00 UTC