Very Low
CVE-2009-2936
Very Low
(1 user assessed)
Moderate
(1 user assessed)Unknown
Unknown
Unknown
Description
The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim’s location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is “fundamentally misguided and pointless.
Add Assessment
Technical Analysis
The (3) part of this does seem to be true, using vcl.load and supplying it a file will attempt to load the file. Because the file is most likely NOT a vcl file, the file will fail to load, however the error message echoed back to the user includes the first line of the file.
While you are able to read an arbitrary file, you’ll only get the first line, YMMV. The process is most likely also not running as root, so /etc/shadow where the first line would be great most likely won’t happen.
CVSS V3 Severity and Metrics
General Information
Vendors
- varnish.projects.linpro
Products
- varnish 0.9,
- varnish 0.9.1,
- varnish 1.0,
- varnish 1.0.1,
- varnish 1.0.2,
- varnish 1.0.3,
- varnish 1.0.4,
- varnish 1.1,
- varnish 1.1.1,
- varnish 1.1.2,
- varnish 2.0,
- varnish 2.0.1,
- varnish 2.0.2,
- varnish 2.0.3,
- varnish 2.0.4,
- varnish 2.0.5,
- varnish 2.0.6
Metasploit Modules
References
Advisory
