CVE-2022-45060: HTTP Request Forgery Discovered in Varnish Cache Versions 5.x, 6.x, and 7.x

An HTTP Request Forgery vulnerability (CVE-2022-45060) was recently discovered in several versions of Varnish Cache, namely 5.x, 6.x (before 6..11), 7.x (before 7.1.2), and 7.2.x (before 7.2.1). The issue involves attackers introducing invalid characters via HTTP/2 pseudo-headers into the HTTP/1 request line, potentially causing the Varnish server to send invalid HTTP/1 requests to the backend. This scenario could be exploited to take advantage of other vulnerabilities in a server positioned behind the Varnish server, posing a significant security risk.

Code Snippet Highlighting the Issue

Consider a scenario where the Varnish Cache is used to proxy requests between an HTTP/2 client and an HTTP/1 backend server. If the attacker sends an HTTP/2 request with an invalid "authority" pseudo-header, the Varnish server may pass an improperly formatted HTTP/1 request to the backend, as shown in the following example:

--- HTTP/2 Request (Attacker) ---
:method: GET
:scheme: https
:authority: vulnerable_server.com\r\ninjected_header: injected_value
:path: /example-path

--- HTTP/1.1 Request (Varnish->Backend) ---
GET /example-path HTTP/1.1
Host: vulnerable_server.com
injected_header: injected_value

Notice how the "authority" pseudo-header includes an invalid character (\r\n) which leads to the injection of an extra header in the resulting HTTP/1.1 request. This could potentially be used to exploit vulnerabilities in the backend server.

Original References

The vulnerability was first discovered and reported by [insert researcher's name] from [insert company name]. You can refer to the following resources for more details on this vulnerability:

1. Varnish Cache Security Advisory: VSV00008
2. National Vulnerability Database: CVE-2022-45060

Exploit Details and Mitigation Steps

As of now, there are no publicly available exploits for this vulnerability. However, considering the potential impact of this issue, all users of affected Varnish Cache versions are advised to upgrade to the following patched versions as soon as possible:

Varnish 7.2.x: Upgrade to 7.2.1 or later

To prevent potential exploitation of this vulnerability, it is crucial to keep the Varnish Cache software and all related dependencies up-to-date. Additionally, network administrators should keep an eye on traffic logs and patterns to identify any suspicious activity indicating potential exploitation attempts.

Conclusion

In conclusion, the HTTP Request Forgery vulnerability CVE-2022-45060 in Varnish Cache 5.x, 6.x, and 7.x poses a severe security risk, potentially allowing attackers to exploit other vulnerabilities in servers behind the Varnish server. Users should upgrade to the latest patched versions to mitigate this vulnerability, and maintain updated software versions to reduce the likelihood of similar issues in the future.

Timeline

Published on: 11/09/2022 06:15:00 UTC
Last modified on: 02/28/2023 18:32:00 UTC