CVE-2009-2936

DISPUTED The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim’s location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is “fundamentally misguided and pointless.”

Recent assessments:

h00die at March 25, 2020 12:04am UTC reported:

The (3) part of this does seem to be true, using vcl.load and supplying it a file will attempt to load the file. Because the file is most likely NOT a vcl file, the file will fail to load, however the error message echoed back to the user includes the first line of the file.
While you are able to read an arbitrary file, you’ll only get the first line, YMMV. The process is most likely also not running as root, so /etc/shadow where the first line would be great most likely won’t happen.

Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 3