oss-sec mailing list archives

Squid Proxy multiple vulnerabilities

From: Amos Jeffries <squid3 () treenet co nz>
Date: Mon, 29 Oct 2018 05:13:40 +1300

Several vulnerabilities have recently been found in Squid HTTP proxy.

CVE have been requested and awaiting assignment by the DWF project.

* An Cross-Site Scripting vulnerability (CWE-74, CWE-79) has been found
in the TLS error handling by Squid.

Several fields of X.509 certificates can contain HTML syntax and were
not being correctly quoted/encoded before inserting into HTML error
pages generated by the proxy. This issue allows an attacker to craft a
X.509 certificate that both triggers an error and alters how that error
is displayed by a client such as a Browser.

Affected Versions:
Squid 3.1.12.1 -> 3.1.23
Squid 4.0 -> 4.3

Squid 3.1.12 and older including Squid-2.x are not vulnerable.

The patch for Squid-3.5 should apply relatively cleanly to all v3.x
affected versions.

<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch>

<http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch>

<http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch>

<http://www.squid-cache.org/Advisories/SQUID-2018_4.txt>

* A small memory leak (CWE-400, CWE-401, CWE-772) in processing of SNMP
packets can be abused by remote attackers to consume large amounts of
memory over a short time.

Under testing this lead to Squid crashing and direct denial of service
to clients using the proxy. Also, in Linux environments with default
virtual memory allocation policies it lead to complete consumption of
the machines available memory and denial of service to other
applications using the same server. In these latter situations a hard
restart of the server may be necessary to recover.

Affected versions:
Squid 3.2.0.10 -> 3.5.28
Squid 4.x -> 4.3

Squid 3.2.0.9 and older (including Squid-2.x) are not vulnerable.

This issue is limited to Squid receiving SNMP traffic. So builds using
--disable-snmp are not at all vulnerable.

Builds not configured to receive SNMP (default, absent, or '0' values
for snmp_port) are not immediately vulnerable, but may becomes so with
simple configuration changes.

The patch for Squid-3.5 should apply relatively cleanly to all v3.x
affected versions.

<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-bc9786119f058a76ddf0625424bc33d36460b9a2.patch>

<http://www.squid-cache.org/Versions/v4/changesets/squid-4-983c5c36e5f109512ed1af38a329d0b5d0967498.patch>

<http://www.squid-cache.org/Versions/v5/changesets/squid-5-644131ff1e00c1895d77561f561d29c104ba6b11.patch>

<http://www.squid-cache.org/Advisories/SQUID-2018_5.txt>

Amos Jeffries
The Squid Software Foundation

Attachment: signature.asc
Description: OpenPGP digital signature

Squid Proxy multiple vulnerabilities Amos Jeffries (Oct 28)
- Re: Squid Proxy multiple vulnerabilities Amos Jeffries (Oct 28)
- Re: Squid Proxy multiple vulnerabilities Hanno Böck (Oct 28)
  - Re: Squid Proxy multiple vulnerabilities Amos Jeffries (Oct 29)
  - Re: Squid Proxy multiple vulnerabilities 面和毅 (Oct 29)
- Re: Squid Proxy multiple vulnerabilities Karol Babioch (Oct 31)
  - Re: Squid Proxy multiple vulnerabilities Karol Babioch (Nov 09)