cbcvebase.
CVE-2009-2936
published 2010-04-05

CVE-2009-2936: The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.82%
99.1th percentile
The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless.

Affected

22 ranges
VendorProductVersion rangeFixed in
debianvarnish< varnish 2.1.0-2 (bookworm)varnish 2.1.0-2 (bookworm)
varnish-cachevarnish>= 0 < 2.1.0-22.1.0-2
varnish-cachevarnish>= 0 < 2.1.0-22.1.0-2
varnish-cachevarnish>= 0 < 2.1.0-22.1.0-2
varnish-cachevarnish>= 0 < 2.1.0-22.1.0-2
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish
varnish.projects.linprovarnish

Detection & IOCsextracted from sources · hover to see the quote

port6082
commandvcl.inline
commandvcl.load
commandparam.set
commandvcl.load <rand> /etc/shadow
commandparam.set vcc_allow_inline_c on
commandparam.set user root
commandparam.set group root
commandvcl.inline foo "vcl 4.0;\nbackend b { . host = \"127.0.0.1\"; } sub vcl_recv { if (req.url ~ \"^/backd00r\") { C{ asm(\"int3\"); }C } } \n"
path/etc/shadow
  • Detect unauthenticated or brute-forced connections to the Varnish CLI port (default TCP 6082); look for the banner pattern '107 \d+' followed by 'Authentication required.' or 'Varnish Cache CLI 1.0' indicating no auth is required.
  • Alert on CLI commands 'vcl.inline', 'vcl.load', 'param.set', 'stop', and 'start' sent over TCP to port 6082 from untrusted sources, as these are the specific directives abused in this CVE.
  • Monitor for 'param.set vcc_allow_inline_c on' on the Varnish CLI, which is a prerequisite step to enable inline C code execution for RCE.
  • Look for the Varnish CLI response code '200 \d+' following an 'auth' command on TCP 6082, indicating successful authentication (possibly via brute force).
  • Detect inline C code blocks in VCL payloads sent over the CLI, identifiable by the 'C{ ... }C' delimiter syntax, which is the mechanism for embedding shellcode or arbitrary C in VCL.
  • ·The Varnish CLI listens on TCP port 6082 by default. In Varnish before 2.1.0, no authentication is required. Versions 2.1.0+ support the -S option to password-protect the CLI interface.
  • ·On EPEL5/Fedora, the default configuration restricts the admin port to 127.0.0.1 and ::1 only; remote exploitation requires an administrator to have actively changed the admin interface binding to a remotely accessible address.
  • ·The 'vcc_unsafe_path' parameter is on by default, enabling path traversal in VCL imports (e.g., 'import ../../../../file'), which can be combined with inline C for broader exploitation.
  • ·The Varnish CLI uses a SHA256 challenge-response authentication scheme when auth is enabled; the response is computed as SHA256(challenge + "\n" + secret + challenge + "\n").
  • ·The varnishd master process typically runs as root and forks an unprivileged child; privilege escalation to root is achievable via 'param.set user root' / 'param.set group root' followed by stop/start of the child process.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.