oss-sec mailing list archives

CVE Request: Squid HTTP Caching Proxy multiple issues

From: Amos Jeffries <squid3 () treenet co nz>
Date: Thu, 21 Apr 2016 02:29:26 +1200

Hi,
 several vulnerabilities have been reported in Squid proxy.


A buffer overflow in the cachemgr.cgi tool reported by CESG (CESG REF:
56397140 / VULNERABILITY ID: 394201) allows remote clients to perform an
indirect denial of service attack on the proxy administrator. It could
be used trivially to hide other activities from inspection. Or be used
to perform remote code execution on systems without overflow protection.

This bug was also independently reported by Yuriy M. Kaminskiy.

The cachemgr.cgi tool is vulnerable when built from;
Squid-3.x up to and including 3.5.16,
Squid-4.x up to and including 4.0.8, and
Squid-2.x all versions.

Upstream report will be at:
 <http://www.squid-cache.org/Advisories/SQUID-2016_5.txt>

Patches at:
 <http://www.squid-cache.org/Versions/v4/changesets/squid-4-14643.patch>
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_5.patch>
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_5.patch>
 <http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_5.patch>
 <http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_5.patch>



Multiple on-stack buffer overflow from incorrect bounds calculation in
Squid ESI processing has been reported by CESG (CESG REF: 56284998 /
VULNERABILITY ID: 393536) which allows remote code execution or denial
of service if depending on the OS overflow protections which are active.

Further investigation has found that when compiler optimization is
applied incorrect use of assert() leads to information disclosure of
stack contents to remote clients and a second buffer overflow leads to
further remote code execution possibilities.

Squid-2.x are not vulnerable.
Squid-3.x up to and including 3.5.16,
Squid-4.x up to and including 4.0.8,
 when built with --enable-esi and used for either CDN reverse-proxy or
TLS MITM are vulnerable.

Upstream report will be at:
 <http://www.squid-cache.org/Advisories/SQUID-2016_6.txt>

Patches at:
 <http://www.squid-cache.org/Versions/v4/changesets/squid-4-14648.patch>
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch>
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch>
 <http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch>
 <http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch>



PS. Some of our mirrors may not be updated for up to 24hrs. The "www."
in URLs can be replaced with "west." to fetch from a more up to date
mirror directly if one has trouble.


Amos Jeffries
Squid Software Foundation

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE Request: Squid HTTP Caching Proxy multiple issues Amos Jeffries (Apr 20)
- Re: CVE Request: Squid HTTP Caching Proxy multiple issues cve-assign (Apr 20)