CVE-2009-2936
published 2010-04-05CVE-2009-2936: The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.82%
99.1th percentile
The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | varnish | < varnish 2.1.0-2 (bookworm) | varnish 2.1.0-2 (bookworm) |
| varnish-cache | varnish | >= 0 < 2.1.0-2 | 2.1.0-2 |
| varnish-cache | varnish | >= 0 < 2.1.0-2 | 2.1.0-2 |
| varnish-cache | varnish | >= 0 < 2.1.0-2 | 2.1.0-2 |
| varnish-cache | varnish | >= 0 < 2.1.0-2 | 2.1.0-2 |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
| varnish.projects.linpro | varnish | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandvcl.inline foo "vcl 4.0;\nbackend b { . host = \"127.0.0.1\"; } sub vcl_recv { if (req.url ~ \"^/backd00r\") { C{ asm(\"int3\"); }C } } \n"↗
- →Detect unauthenticated or brute-forced connections to the Varnish CLI port (default TCP 6082); look for the banner pattern '107 \d+' followed by 'Authentication required.' or 'Varnish Cache CLI 1.0' indicating no auth is required. ↗
- →Alert on CLI commands 'vcl.inline', 'vcl.load', 'param.set', 'stop', and 'start' sent over TCP to port 6082 from untrusted sources, as these are the specific directives abused in this CVE. ↗
- →Monitor for 'param.set vcc_allow_inline_c on' on the Varnish CLI, which is a prerequisite step to enable inline C code execution for RCE. ↗
- →Look for the Varnish CLI response code '200 \d+' following an 'auth' command on TCP 6082, indicating successful authentication (possibly via brute force). ↗
- →Detect inline C code blocks in VCL payloads sent over the CLI, identifiable by the 'C{ ... }C' delimiter syntax, which is the mechanism for embedding shellcode or arbitrary C in VCL. ↗
- ·The Varnish CLI listens on TCP port 6082 by default. In Varnish before 2.1.0, no authentication is required. Versions 2.1.0+ support the -S option to password-protect the CLI interface. ↗
- ·On EPEL5/Fedora, the default configuration restricts the admin port to 127.0.0.1 and ::1 only; remote exploitation requires an administrator to have actively changed the admin interface binding to a remotely accessible address. ↗
- ·The 'vcc_unsafe_path' parameter is on by default, enabling path traversal in VCL imports (e.g., 'import ../../../../file'), which can be combined with inline C for broader exploitation. ↗
- ·The Varnish CLI uses a SHA256 challenge-response authentication scheme when auth is enabled; the response is computed as SHA256(challenge + "\n" + secret + challenge + "\n"). ↗
- ·The varnishd master process typically runs as root and forks an unprivileged child; privilege escalation to root is achievable via 'param.set user root' / 'param.set group root' followed by stop/start of the child process. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Varnish up to 2.0.6 Administration Interface improper authentication (ID 3865 / EDB-35581)
vuldb·2026-05-05·CVSS 7.5
CVE-2009-2936 [HIGH] Varnish up to 2.0.6 Administration Interface improper authentication (ID 3865 / EDB-35581)
A vulnerability described as problematic has been identified in Varnish up to 2.0.6. This affects an unknown part of the component Administration Interface. Executing a manipulation can lead to improper authentication.
This vulnerability is tracked as CVE-2009-2936. The attack can be launched remotely. Moreover, an exploit is present.
There is ongoing doubt regarding the real existence of this vulnerability.
Upgrading the affected component is recommended.
GHSA
GHSA-vq42-25hh-c536: ** DISPUTED ** The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish be
ghsa_unreviewed·2022-05-02
CVE-2009-2936 [HIGH] CWE-287 GHSA-vq42-25hh-c536: ** DISPUTED ** The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish be
** DISPUTED ** The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointle
OSV
CVE-2009-2936: The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2
osv·2010-04-05·CVSS 7.5
CVE-2009-2936 [HIGH] CVE-2009-2936: The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2
The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless.
Debian
CVE-2009-2936: varnish - The Command Line Interface (aka Server CLI or administration interface) in the m...
vendor_debian·2009·CVSS 7.5
CVE-2009-2936 [HIGH] CVE-2009-2936: varnish - The Command Line Interface (aka Server CLI or administration interface) in the m...
The Command Line Interface (aka Server CLI or administration interface) in the master process in the reverse proxy server in Varnish before 2.1.0 does not require authentication for commands received through a TCP port, which allows remote attackers to (1) execute arbitrary code via a vcl.inline directive that provides a VCL configuration file containing inline C code; (2) change the ownership of the master process via param.set, stop, and start directives; (3) read the initial line of an arbitrary file via a vcl.load directive; or (4) conduct cross-site request forgery (CSRF) attacks that leverage a victim's location on a trusted network and improper input validation of directives. NOTE: the vendor disputes this report, saying that it is "fundamentally misguided and pointless.
Scope: loca
No detection rules found.
Exploit-DB
Varnish Cache CLI Interface - Remote Code Execution (Metasploit)
exploitdb·2014-12-19
CVE-2009-2936 Varnish Cache CLI Interface - Remote Code Execution (Metasploit)
Varnish Cache CLI Interface - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Varnish Cache CLI Interface Bruteforce Utility',
'Description' => 'This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce
list of passwords. This module will also attempt to read the /etc/shadow root password hash
if a valid password is found. It is possible to execute code as root with a valid password,
however this is not yet implemented in this module.',
'References' =>
[
[ 'OSVDB', '67670' ],
[ 'CVE', '2009-2936' ],
# General
[ 'URL', 'https://www.varnish-cache.org/trac/wiki/CLI' ],
[ 'CVE', '1999-0502']
Metasploit
Varnish Cache CLI File Read
metasploit
Varnish Cache CLI File Read
Varnish Cache CLI File Read
This module attempts to read the first line of a file by abusing the error message when
compiling a file with vcl.load.
Metasploit
Varnish Cache CLI Login Utility
metasploit
Varnish Cache CLI Login Utility
Varnish Cache CLI Login Utility
This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce
list of passwords.
Bugzilla
CVE-2009-2936 Varnish reverse proxy flaw [fedora-all]
bugzilla·2010-04-05·CVSS 7.5
CVE-2009-2936 [HIGH] CVE-2009-2936 Varnish reverse proxy flaw [fedora-all]
CVE-2009-2936 Varnish reverse proxy flaw [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
Forr more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=579533
Please note: this issue affects multiple supported versions
Bugzilla
CVE-2009-2936 Varnish reverse proxy flaw
bugzilla·2010-04-05·CVSS 7.5
CVE-2009-2936 [HIGH] CVE-2009-2936 Varnish reverse proxy flaw
CVE-2009-2936 Varnish reverse proxy flaw
** DISPUTED ** The Command Line Interface (aka Server CLI or
administration interface) in the master process in the reverse proxy
server in Varnish before 2.1.0 does not require authentication for
commands received through a TCP port, which allows remote attackers to
(1) execute arbitrary code via a vcl.inline directive that provides a
VCL configuration file containing inline C code; (2) change the
ownership of the master process via param.set, stop, and start
directives; (3) read the initial line of an arbitrary file via a
vcl.load directive; or (4) conduct cross-site request forgery (CSRF)
attacks that leverage a victim's location on a trusted network and
improper input validation of directives. NOTE: the vendor disputes
this report, saying that
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/040359.htmlhttp://www.securityfocus.com/archive/1/510360/100/0/threadedhttp://www.securityfocus.com/archive/1/510368/100/0/threadedhttp://www.varnish-cache.org/changeset/3865http://www.varnish-cache.org/wiki/CLIhttp://lists.fedoraproject.org/pipermail/package-announce/2010-April/040359.htmlhttp://www.securityfocus.com/archive/1/510360/100/0/threadedhttp://www.securityfocus.com/archive/1/510368/100/0/threadedhttp://www.varnish-cache.org/changeset/3865http://www.varnish-cache.org/wiki/CLI
2010-04-05
Published