DISPUTED The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victimโs location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is โfundamentally misguided and pointless.โ
Recent assessments:
h00die at March 25, 2020 12:04am UTC reported:
The (3) part of this does seem to be true, using vcl.load
and supplying it a file will attempt to load the file. Because the file is most likely NOT a vcl
file, the file will fail to load, however the error message echoed back to the user includes the first line of the file.
While you are able to read an arbitrary file, youโll only get the first line, YMMV. The process is most likely also not running as root, so /etc/shadow
where the first line would be great most likely wonโt happen.
Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 3