Summary

On Thursday, August 9th, research was published at Black Hat USA 2018 on hoard poisoning attacks against websites deployed behind caching infrastructure [ 1 ]. These attacks could allow an attacker to inject arbitrary subject into a victim ’ randomness cache .
Fastly service configurations that do not take into circumstance the interaction between headers that backends use to select content may be vulnerable. This hazard can be in full mitigated via a VCL spot or by modifying backend configurations .

Detail

If one or more of your backends uses the contents of the X-Forwarded-Host, X-Rewrite-Url or X-Original-Url HTTP request headers to decide which of your users ( or which security sphere ) it sends an HTTP answer for, you may be impacted by this class of vulnerability. If your site ’ south Fastly shape passes this heading to your backend, and does not factor the contents of this header into the effective edge hoard samara ( for exemplar explicitly or via the Vary HTTP reaction header ), an attacker could potentially cause the boundary to store a response with arbitrary contented inserted to a victim ’ second cache.

Impact

An attacker might be able to poison a Fastly customer URL by sending an HTTP request to the locate that causes the affect backend to respond with an attacker-controlled response. The malicious reply object would be stored in the site ’ s cache at a poison URL. An attacker could then potentially lure a victim locate exploiter into browsing to the poisoned URL, where they would be served malicious content .

Mitigation

If your origin uses special values to select content for users or to otherwise blue-ribbon between security domains, we suggest that you consider the follow mitigations :

• Reconfiguring your origin server [2]
• Applying corresponding security updates [3] [4] [5]
• Stripping or normalizing these special values in VCL

For VCL guidance, consider setting the vulnerable headers to a known-safe value or unsetting the header. For case, the X-Forwarded-Host header can be set to the value of the Host header via the follow VCL snip :
set req.http.x-forwarded-host = req.http.host;
The X-Original-URL header can be unset via the keep up VCL snip :
unset req.http.x-original-url;
And X-Rewrite-URL can be unset via the follow VCL snip :
unset req.http.x-rewrite-url;
alternatively, these values could be included in your cache key [ 6 ] or Vary header [ 7 ] to prevent hoard of message across security domains. Please see our software documentation [ 6 ] for steering on manipulating your edge hoard key.

Our hold teams are standing by to assist with any questions or with implement workarounds if you believe you may be at risk due to this feat .
Customer inquiries can be directed to :

• Marc Eisenbarth, Director of Application Security – meisenbarth@fastly.com
• Dana Wolf, Senior Vice President of Product – dwolf@fastly.com
• Laine Campbell, Senior Vice President of Engineering – lcampbell@fastly.com

Related Advisories and Issue Reports

hypertext transfer protocol : //cve.mitre.org/cgi-bin/cvename.cgi ? name=CVE-2018-14773
hypertext transfer protocol : //hackerone.com/reports/487

Reference Links

[ 1 ] hypertext transfer protocol : //portswigger.net/blog/practical-web-cache-poisoning
[ 2 ] hypertext transfer protocol : //github.com/rails/rails/issues/29893
[ 3 ] hypertext transfer protocol : //www.drupal.org/SA-CORE-2018-005
[ 4 ] hypertext transfer protocol : //symfony.com/cve-2018-14773

[ 5 ] hypertext transfer protocol : //framework.zend.com/security/advisory/ZF2018-01
[ 6 ] hypertext transfer protocol : //docs.fastly.com/en/guides/manipulating-the-cache-key
[ 7 ] hypertext transfer protocol : //themedipia.com/blog/best-practices-using-vary-header