oss-sec mailing list archives

SQUID-2018:2 Denial of Service issue in HTTP Message processing

From: Amos Jeffries <squid3 () treenet co nz>
Date: Mon, 22 Jan 2018 22:42:53 +1300
Notes for OSS-Security people:

* CVE has been requested through DWF, waiting on assignment.

* The patch for Squid-3.5 should also be applicable for most other
Squid-3.x releases.

* The patch for Squid-4 is provided for anyone having to use older betas
if any unrelated issues prevent an upgrade. This being a beta release
series at present the preferred option is upgrade.

__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2018:2
__________________________________________________________________

Advisory ID:        SQUID-2018:2
Date:               Jan 19, 2018
Summary:            Denial of Service issue
                    in HTTP Message processing.
Affected versions:  Squid 3.x -> 3.5.27
                    Squid 4.x -> 4.0.22
Fixed in version:   Squid 4.0.23
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
__________________________________________________________________

Problem Description:

 Due to incorrect pointer handling Squid is vulnerable to denial
 of service attack when processing ESI responses or downloading
 intermediate CA certificates.

__________________________________________________________________

Severity:

 This problem allows a remote client delivering certain HTTP
 requests in conjunction with certain trusted server responses to
 trigger a denial of service for all clients accessing the Squid
 service.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 4.0.23.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch>

Squid 4:
 <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid configured with "log_uses_indirect_client off" are not
 vulnerable.

 All Squid-3.0 versions built with --enable-esi and being used for
 reverse-proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

 All Squid-3.1 and later versions up to and including
 Squid-3.5.27 being used for reverse-proxy with squid.conf
 containing "log_uses_indirect_client on" are vulnerable.

 All Squid-4 up to and including Squid-4.0.22 being used for
 reverse-proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

 All unpatched Squid-4 up to and including Squid-4.0.22 being
 used for TLS/HTTPS intercept proxy with squid.conf containing
 "log_uses_indirect_client on" are vulnerable.

__________________________________________________________________

Workarounds:

 Configure "log_uses_indirect_client off" in squid.conf

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users () lists squid-cache org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs () lists squid-cache org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 The initial issue was reported by Louis Dion-Marcil on behalf of
 GoSecure.

 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

 2017-12-13 20:09:30 UTC Initial Report
 2018-01-18 23:10:00 UTC Patches Released
 2018-01-21 07:45:00 UTC Advisory and fixed packages released
__________________________________________________________________
END
Attachment: signature.asc
Description: OpenPGP digital signature
Current thread:

SQUID-2018:2 Denial of Service issue in HTTP Message processing Amos Jeffries (Jan 22)
- Re: SQUID-2018:2 Denial of Service issue in HTTP Message processing Amos Jeffries (Jan 28)