CVE-2009-2936

Name of the Vulnerable Software and Affected Versions Varnish versions prior to 2.1.0

Description The Command Line Interface in the master process of the reverse proxy server does not require authentication for commands received through a TCP port. This allows remote attackers to execute arbitrary code via a vcl.inline directive, change the ownership of the master process via param.set, stop, and start directives, read the initial line of an arbitrary file via a vcl.load directive, or conduct cross-site request forgery (CSRF) attacks. The vendor disputes this report.

Recommendations For versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the TCP port used by the Command Line Interface to minimize the risk of exploitation. Avoid using the vcl.inline directive until the issue is resolved. Restrict the use of param.set, stop, and start directives to trusted sources. Limit the use of the vcl.load directive to necessary cases. Implement proper input validation of directives to prevent cross-site request forgery (CSRF) attacks.