Security advisories

Fastly Security Advisory: Cache Poisoning Vulnerability Leveraging X-Forwarded-Host Header

Applicability

The vulnerability is a variant of a previously reported vulnerability, and ultimately the result of constructing cacheable origin responses based on user-defined data. The issue occurs when an attacker issues an HTTPS request and specifies within the Host header a port number that is not actually being used for any services. It is possible to cache a resource in such a way as to deny future requests from being serviced properly.

This vulnerability applies to those customers whose service meets both of the following criteria:

  • The origin is using the complete X-Forwarded-Host header information (including port number), to form a redirect response to the client; and
  • Your Fastly service is configured to cache the origin’s redirect response.

Summary

Fastly was notified of the issue on May 21, 2020 13:30 UTC. Fastly immediately launched an investigation, identifying which origin servers responded with a test port number in the redirect response, in order to understand the vulnerability and possible solutions. After the investigation, Fastly first notified potentially affected customers on July 15, 2020 at 04:30 UTC.

Impact

If the vulnerability had been exploited, then the affected service would not have been able to service targeted content to its clients. For example, an attacker creates a request to a service fronted by Fastly, where the Host header contains a closed port:

Attacker Request:

GET / HTTP/1.1
Host: www.example.com:10000

Fastly Request to Origin:

GET / HTTP/1.1
Host: www.example.com
X-Forwarded-Host: www.example.com:10000

Origin + Fastly Redirect Response:

HTTP/1.1 302 Found
Location: https://www.example.com:10000/en
X-Cache: MISS, MISS

If Fastly then caches the response, subsequent valid requests to the cached resource will be redirected to the closed port and time out:

Victim Request + Response:

GET / HTTP/1.1
Host: www.example.com

HTTP/1.1 302 Found
Location: https://www.example.com:10000/en
X-Cache: MISS, HIT

Remediation

As of August 4, Fastly has implemented a fix in Varnish to return a status code of 421 "Misdirected Request", if the request’s Host header specifies a port number on which the request was not received. More Information [1] Abstract: https://www.blackhat.com/us-20/briefings/schedule/index.html#web-cache-entanglement-novel-pathways-to-poisoning-19712
[2] Whitepaper: https://portswigger.net/research/web-cache-entanglement-novel-pathways-to-poisoning

Event Timing

May 21, 2020 13:30 PM UTC - Notified by external security researcher. Fastly Security team initiates investigation at time of notification. June 5, 2020 - Fastly began the scoping effort to determine a solution in order to protect customer origins from requests exhibiting this behavior. June 18, 2020 - Completed internal investigation and began evaluations for mitigations and recommendations for those potentially affected customers identified.

July 15, 2020 04:30 UTC - Contacted customers who were identified as potentially affected by this issue.

July 16, 2020 to July 31, 2020 - Deployed additional testing and improved logging of requests exhibiting characteristics of this vulnerability.

August 3, 2020 08:00-August 4, 2020 23:00 UTC - Deployment of vulnerability fix to Fastly network, protecting all customer origins going forward

Contact Information

If you have any further questions, please contact Fastly Customer Engineering at support@fastly.com or the Fastly Security team at security@fastly.com.

Subscribe to security advisories.