CVE-2020-11653 – This vulnerability in Varnish Cache causes asse... (How to Fix)

Q: What is the severity of CVE-2020-11653?

CVE-2020-11653 has a CVSS score of 7.5 (HIGH). This vulnerability in Varnish Cache causes assertion failures and daemon restarts when using PROXY version 2 protocol with TLS termination proxies. This leads to denial of service through performance degradation. Affected users are those running vulnerable Varnish Cache versions with TLS termination proxy configurations.

📋 TL;DR

This vulnerability in Varnish Cache causes assertion failures and daemon restarts when using PROXY version 2 protocol with TLS termination proxies. This leads to denial of service through performance degradation. Affected users are those running vulnerable Varnish Cache versions with TLS termination proxy configurations.

💻 Affected Systems

Products:

Varnish Cache

Versions: Before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2

Operating Systems: All operating systems running Varnish Cache

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using PROXY version 2 protocol with TLS termination proxies. Standard HTTP proxy configurations are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Repeated assertion failures causing continuous daemon restarts, leading to complete service unavailability and denial of service.

🟠

Likely Case

Intermittent daemon restarts causing performance degradation, increased latency, and potential service disruption during high traffic periods.

🟢

If Mitigated

Minimal impact if not using PROXY version 2 with TLS termination proxies, or if traffic patterns don't trigger the assertion failure.

🌐 Internet-Facing: HIGH - Varnish Cache is typically deployed as a front-end caching layer for web applications, making internet-facing instances vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Internal instances could still be affected by legitimate traffic patterns, but less exposed to malicious exploitation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted PROXY version 2 traffic to trigger assertion failures. No authentication needed as Varnish typically processes incoming network traffic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.6 LTS, 6.2.3, or 6.3.2

Vendor Advisory: https://varnish-cache.org/security/VSV00005.html#vsv00005

Restart Required: Yes

Instructions:

1. Check current Varnish version. 2. Upgrade to patched version (6.0.6 LTS, 6.2.3, or 6.3.2). 3. Restart Varnish service. 4. Verify the fix by checking version and monitoring for assertion failures.

🔧 Temporary Workarounds

Disable PROXY version 2

all

Configure Varnish to not use PROXY version 2 protocol with TLS termination proxies

# Edit Varnish configuration to use PROXY version 1 or disable PROXY protocol
# Specific configuration depends on your TLS termination proxy setup

Use alternative TLS termination

all

Route TLS traffic differently to avoid triggering the vulnerability

# Reconfigure TLS termination to not use PROXY version 2
# Consider using different proxy configuration or direct TLS termination

🧯 If You Can't Patch

Implement network-level protections to filter or rate-limit PROXY version 2 traffic
Monitor Varnish logs closely for assertion failures and have restart automation ready

🔍 How to Verify

Check if Vulnerable:

Check Varnish version with 'varnishd -V' and verify if using PROXY version 2 with TLS termination proxies

Check Version:

varnishd -V 2>&1 | grep -i varnish

Verify Fix Applied:

After patching, run 'varnishd -V' to confirm version is 6.0.6 LTS, 6.2.3, 6.3.2 or later, and monitor logs for assertion failures

📡 Detection & Monitoring

Log Indicators:

Assertion failures in Varnish logs
Daemon restart messages
PANIC messages related to PROXY protocol

Network Indicators:

Unusual patterns of PROXY version 2 traffic
Increased TCP connections during restart cycles

SIEM Query:

source="varnish.log" AND ("assertion failure" OR "PANIC" OR "restarting")

📊 Metadata

CVE ID: CVE-2020-11653

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

Published: April 8, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html Mailing List,Third Party Advisory
https://varnish-cache.org/security/VSV00005.html#vsv00005 Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00026.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00031.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00036.html Mailing List,Third Party Advisory
https://varnish-cache.org/security/VSV00005.html#vsv00005 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-11653, you might also want to check these: