Vulnerabilities > CVE-2017-12425 - Integer Overflow or Wraparound vulnerability in multiple products
Summary
An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1.0 through 4.1.7, 5.0.0, and 5.1.0 through 5.1.2. A wrong if statement in the varnishd source code means that particular invalid requests from the client can trigger an assert, related to an Integer Overflow. This causes the varnishd worker process to abort and restart, losing the cached contents in the process. An attacker can therefore crash the varnishd worker process on demand and effectively keep it from serving content - a Denial-of-Service attack. The specific source-code filename containing the incorrect statement varies across releases.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3924.NASL description A denial of service vulnerability was discovered in Varnish, a state of the art, high-performance web accelerator. Specially crafted HTTP requests can cause the Varnish daemon to assert and restart, clearing the cache in the process. See https://varnish-cache.org/security/VSV00001.html for details. last seen 2020-06-01 modified 2020-06-02 plugin id 102135 published 2017-08-03 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102135 title Debian DSA-3924-1 : varnish - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3924. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(102135); script_version("3.6"); script_cvs_date("Date: 2018/11/10 11:49:38"); script_cve_id("CVE-2017-12425"); script_xref(name:"DSA", value:"3924"); script_name(english:"Debian DSA-3924-1 : varnish - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A denial of service vulnerability was discovered in Varnish, a state of the art, high-performance web accelerator. Specially crafted HTTP requests can cause the Varnish daemon to assert and restart, clearing the cache in the process. See https://varnish-cache.org/security/VSV00001.html for details." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870467" ); script_set_attribute( attribute:"see_also", value:"https://varnish-cache.org/security/VSV00001.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/varnish" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/varnish" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2017/dsa-3924" ); script_set_attribute( attribute:"solution", value: "Upgrade the varnish packages. For the oldstable distribution (jessie), this problem has been fixed in version 4.0.2-1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 5.0.0-7+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:varnish"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libvarnishapi-dev", reference:"4.0.2-1+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libvarnishapi1", reference:"4.0.2-1+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"varnish", reference:"4.0.2-1+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"varnish-dbg", reference:"4.0.2-1+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"varnish-doc", reference:"4.0.2-1+deb8u1")) flag++; if (deb_check(release:"9.0", prefix:"libvarnishapi-dev", reference:"5.0.0-7+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libvarnishapi1", reference:"5.0.0-7+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"varnish", reference:"5.0.0-7+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"varnish-doc", reference:"5.0.0-7+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Fedora Local Security Checks NASL id FEDORA_2017-8F4FBA5AFA.NASL description New upstream release. This is a security release with a fix for CVE-2017-12425, a crash bug that might be used in a denial of service attack. Details from the upstream project are found here : http://varnish-cache.org/security/VSV00001.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-15 plugin id 102485 published 2017-08-15 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102485 title Fedora 26 : varnish (2017-8f4fba5afa) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-8f4fba5afa. # include("compat.inc"); if (description) { script_id(102485); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-12425"); script_xref(name:"FEDORA", value:"2017-8f4fba5afa"); script_name(english:"Fedora 26 : varnish (2017-8f4fba5afa)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "New upstream release. This is a security release with a fix for CVE-2017-12425, a crash bug that might be used in a denial of service attack. Details from the upstream project are found here : http://varnish-cache.org/security/VSV00001.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"http://varnish-cache.org/security/VSV00001.html" ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-8f4fba5afa" ); script_set_attribute( attribute:"solution", value:"Update the affected varnish package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:varnish"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/04"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC26", reference:"varnish-5.1.3-2.fc26")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "varnish"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2017-BFBC5DE1B1.NASL description New upstream release. This is a security release with a fix for CVE-2017-12425, a crash bug that might be used in a denial of service attack. Details from the upstream project are found here : http://varnish-cache.org/security/VSV00001.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-15 plugin id 102489 published 2017-08-15 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102489 title Fedora 25 : varnish (2017-bfbc5de1b1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-bfbc5de1b1. # include("compat.inc"); if (description) { script_id(102489); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-12425"); script_xref(name:"FEDORA", value:"2017-bfbc5de1b1"); script_name(english:"Fedora 25 : varnish (2017-bfbc5de1b1)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "New upstream release. This is a security release with a fix for CVE-2017-12425, a crash bug that might be used in a denial of service attack. Details from the upstream project are found here : http://varnish-cache.org/security/VSV00001.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"http://varnish-cache.org/security/VSV00001.html" ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-bfbc5de1b1" ); script_set_attribute( attribute:"solution", value:"Update the affected varnish package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:varnish"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/04"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"varnish-5.0.0-4.fc25")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "varnish"); }
References
- https://www.varnish-cache.org/security/VSV00001.html#vsv00001
- https://lists.debian.org/debian-security-announce/2017/msg00186.html
- https://github.com/varnishcache/varnish-cache/issues/2379
- https://bugzilla.suse.com/show_bug.cgi?id=1051917
- https://bugzilla.redhat.com/show_bug.cgi?id=1477222
- http://www.debian.org/security/2017/dsa-3924