Information, OpenSourceSoftware, Security

Phony security advisory from Tim Brown ( about Varnish

I just had to comment on this…

Read the advisory here.

My short comment; If you install any type of Software, or use any kind of mechanical devices, or do anything in life, be sure too know what you are doing.

If you buy a car, and the car door is not locked when you are handed the keys, do still lock the doors if you don’t want people to come into your car!

Snippets from the advisory:
"In order to completely protect against the vulnerability (in the short term), Nth Dimension recommend turning off the server and replacing it with another reverse proxy such as Squid."

That would be like stepping out of a Ferrari and crawling into twelve old Tractors… I don’t think people will do that Mr. Brown…

"Should this not be possible, Nth Dimension would strongly recommend that users confirm that the master process is not listening on an external network interface."

This is so much easier to do than migrate to Squid or alike? And the right thing to do if you are not in a trusted environment. Again, do lock your car door.

"In the latter case, users should confirm that only trusted users have SSH access to the system."

As a rule of thumb: You should NEVER have untrusted users on your systems if you value your data on it or the data accessible from it.

There are tons of information on how to harden a Operating System (OS). One of the first and most common step is to make sure the system does not listen on network ports that you don’t want it too. I feel that the advisory is bogus because it is a feature of Varnish.

The advisory should have been aimed at the distributions that have packages that don’t implement “non-clue friendly defaults”.

That said, there is nothing stopping me from sending out my passwords via email once I have installed a browser and I manage to log into my gmail account…
Subject: “Medium security hole in Mozilla Firefox”
Body: “I’ve identified a couple of security flaws affecting Mozilla Firefox (All versions) which may allow privilege escalation….”

“Grumpy day”


2 thoughts on “Phony security advisory from Tim Brown ( about Varnish

  1. As I understood it the flaw exists since a “trusted” user, under a non root account can execute arbitrary code as root since Varnish allows you to reclaim the dropped privileges. Therefore making varnish the equivalent of a setuid shell on a network port for the trusted non root user.

    There is also the chance of a remote non root exploit existing for another part on the server such as the kernel. Granted, it’s not that likely, but allowing authentication on the admin interface by default shouldn’t be that big a deal IMO.


  2. Someone just pointed me at this blog post so appologies for my later arrival.

    Wireghoul thanks for your comment, a concise summary of my concerns. The way the advisory came out was largely as a result of several months of me trying to work firstly with phk himself and then various distros to resolve the problem without much joy (despite the distros at least acknowledging the problem – the CVE was assigned by Debian). Bare in mind that even FreeBSD and the Varnish supplied Redhat packaging for the proxy used to install it in the insecure state I described. I think to really understand the problem you need to take a dispassionate view. Imagine if someone told you that Sendmail or BIND listened on a TCP port without authentication and that via this port you could reconfigure the daemon to run as root and then inject arbitrary C code into it. The fact that in the case of those programs you’d most likely need to find some kind of memory corruption vulnerability whereas in Varnish makes it much easier.

    I also take issue with your comparison to sending out your passwords in an email, an explicitly user triggered action. I think this problem is more similar to embedded Javascript being executed in your local context when you viewed a malicious email. Of course that was never considered a security flaw, oh, wait…

    FWIW, I’m a security professional with 70+ published advisories to my name and I’m also the founder of OpenVAS. I don’t report such issues for the sake of it, only where it affects myself or clients I work with and where the issues I am reporting have already been peer reviewed by friends and colleagues.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s