From phk at phk.freebsd.dk Tue Jun 11 10:26:42 2013 From: phk at phk.freebsd.dk (Poul-Henning Kamp) Date: Tue, 11 Jun 2013 10:26:42 +0000 Subject: CVE-2013-4090: ACL bug in all versions of Varnish HTTP cache Message-ID: <90486.1370946402@critter.freebsd.dk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Slagelse, 2013-06-11 CVE-2013-4090: ACL bug in all versions of Varnish HTTP cache ============================================================= Two bugs have been found in the code which compiles VCL ACLs into C code. TL;DR - ----- In certain cases an ACL entry will match *less* than it should. If you use ACLs to *deny* access, some IP numbers which should have been denied, might slip through. Impact - ------ These bugs only affect non-class CIDR ACL entries (ie: /xx except /8, /16, /24 ...) when more specific ACL entries are also present. The impact can best be explained with two examples: acl foo { "127.0.0.2"; "127.0.0.0"/19; } When the CIDR split byte matches a more specific entry, the CIDR mask is rounded up to a byte boundary so the .../19 becomes .../24 instead, with the result that: 127.0.0.2 matches 127.0.0.1 matches 127.0.1.0 does not match If however, the CIDR split byte does not match the more specific entry: acl foo { "127.0.0.2"; "127.0.1.0"/19; } the CIDR entry will be ignored where the split byte matches the tested IP number, so that: 127.0.0.2 matches 127.0.0.1 does not match 127.0.1.0 matches The overall effect is always that the ACL matches less than it should. It does not matter which byte is split by a CIDR mask. IPv4 and IPv6 are equally impacted. If you use the ACL to *deny* access, either by having '!' prefixes in front of ACL entries or by the way the ACL is used, some IPs may not be denied which should be. Fixes - ----- These bugs will be fixed in the Varnish 3.0.4 and subsequent releases. Varnish 3.0.4 is due to be released this week. For older versions of Varnish, apply the patch below. Patch - ----- Be aware that this patch may have white-space mangled so it might not apply automatically, but it is simple enough to apply by hand. diff --git a/lib/libvcl/vcc_acl.c b/lib/libvcl/vcc_acl.c index 9c9e117..eb3bace 100644 - --- a/lib/libvcl/vcc_acl.c +++ b/lib/libvcl/vcc_acl.c @@ -381,7 +381,7 @@ vcc_acl_emit(const struct vcc *tl, const char *acln, int anon) VTAILQ_FOREACH(ae, &tl->acl, list) { /* Find how much common prefix we have */ - - for (l = 0; l <= depth && l * 8 < ae->mask; l++) { + for (l = 0; l <= depth && l * 8 < ae->mask - 7; l++) { assert(l >= 0); if (ae->data[l] != at[l]) break; @@ -392,11 +392,11 @@ vcc_acl_emit(const struct vcc *tl, const char *acln, int anon) while (l <= depth) { Fh(tl, 0, "\t%*s}\n", -depth, ""); depth--; - - oc = "else "; } m = ae->mask; m -= l * 8; + assert(m >= 0); /* Do whole byte compares */ for (i = l; m >= 8; m -= 8, i++) { Testcase - -------- varnishtest "acl miscompile" server s1 { rxreq txresp } -start varnish v1 -vcl+backend { acl foo { "127.0.0.2"; "127.0.1"/19; } acl bar { "127.0.1.2"; "127.0.1"/19; } sub vcl_deliver { set resp.http.ACLfoo = client.ip ~ foo; set resp.http.ACLbar = client.ip ~ bar; } } -start client c1 { txreq rxresp expect resp.http.aclfoo == true expect resp.http.aclbar == true } -run *END* -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlG2+V8ACgkQlftZhnGqOJNJFwCfThtKazDolUSdmD5vFvUcJk3o hVgAn2/ZclKFsVqHdEvxBcAIzqhd8Tuj =Pwei -----END PGP SIGNATURE----- -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk at FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From tfheen at varnish-software.com Mon Jun 17 12:58:19 2013 From: tfheen at varnish-software.com (Tollef Fog Heen) Date: Mon, 17 Jun 2013 14:58:19 +0200 Subject: Varnish 3.0.4 released Message-ID: <20130617125819.GD24913@err.no> It is my pleasure to announce the fourth maintenance release in the 3.0 series of Varnish Cache. It includes a fix for a security related bug and everybody is recommended to upgrade as soon as possible. Some of the most important changes include: * The ACL code had a bug which could lead to false negatives. This has been assigned CVE-2013-4090. * Varnish will now return an error if the client sends multiple Host headers. * If the backend sent invalid gzip while using ESI, Varnish would in some cases assert. It now works correctly. * TCP_NODELAY is now enabled, which should lead to performance improvements in some cases. A fuller list of changes is available in the changes document, available at http://varnish-cache.org/trac/browser/doc/changes.rst Installation instructions and sources are available from https://www.varnish-cache.org/releases/varnish-cache-3.0.4 -- Tollef Fog Heen, on behalf of the Varnish team