Squid Proxy Cache Security Update Advisory SQUID-2024:3
|
|
| Advisory ID: |
SQUID-2024:3 |
| Date: |
Jun 10, 2024 |
| Summary: |
Denial of Service in ESI processing |
| Affected versions: |
Squid 3.0 -> 3.5.28 |
|
Squid 4.0 -> 4.16 |
|
Squid 5.0 -> 5.9 |
|
Squid 6.0 -> 6.9 |
| Fixed in version: |
Squid 6.10 |
Problem Description:
Due to an Out-of-bounds Write error when assigning ESI variables,
Squid is susceptible to a Memory Corruption error, which can
result in a Denial of Service.
Severity:
This problem allows a trusted server to perform a Denial of Service attack on
Squid while processing ESI response content.
This affects all domains being serviced by the proxy and all clients using
it during the affected period.
The trigger for this issue are values which clients might normally expect to use
in valid ESI response content. As such admin should expect this issue to be
already occurring without any malicious 0-day attack existing.
This issue is limited to Squid acting as reverse proxy where ESI feature has been
enabled at build time
CVSS Score of 6.3
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H&version=3.1
Updated Packages:
This bug is fixed by Squid version 6.10.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 3.x, 4, or 5:
https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
All Squid built with --disable-esi are not vulnerable.
All Squid-3.0 versions built without --enable-esi are not
vulnerable.
All Squid-3.x versions built with --enable-esi are vulnerable.
All Squid-4.x built with --enable-esi are vulnerable.
All Squid-5.x built with --enable-esi are vulnerable.
All Squid-6.x up to and including 6.9 built with --enable-esi
are vulnerable
Workaround:
Build Squid with --disable-esi
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Joshua Rogers of Opera Software.
Fixed by Francesco Chemolli kinkie@squid-cache.org
Revision history:
2021-03-01 23:06:11 UTC Initial Report
2024-06-02 14:00:00 UTC Patches released
2024-06-10 14:00:00 UTC Fixed packages released
END
Squid Proxy Cache Security Update Advisory SQUID-2024:3
Problem Description:
Due to an Out-of-bounds Write error when assigning ESI variables,
Squid is susceptible to a Memory Corruption error, which can
result in a Denial of Service.
Severity:
This problem allows a trusted server to perform a Denial of Service attack on
Squid while processing ESI response content.
This affects all domains being serviced by the proxy and all clients using
it during the affected period.
The trigger for this issue are values which clients might normally expect to use
in valid ESI response content. As such admin should expect this issue to be
already occurring without any malicious 0-day attack existing.
This issue is limited to Squid acting as reverse proxy where ESI feature has been
enabled at build time
CVSS Score of 6.3
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H&version=3.1
Updated Packages:
This bug is fixed by Squid version 6.10.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 3.x, 4, or 5:
https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
All Squid built with --disable-esi are not vulnerable.
All Squid-3.0 versions built without --enable-esi are not
vulnerable.
All Squid-3.x versions built with --enable-esi are vulnerable.
All Squid-4.x built with --enable-esi are vulnerable.
All Squid-5.x built with --enable-esi are vulnerable.
All Squid-6.x up to and including 6.9 built with --enable-esi
are vulnerable
Workaround:
Build Squid with --disable-esi
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Joshua Rogers of Opera Software.
Fixed by Francesco Chemolli kinkie@squid-cache.org
Revision history:
2021-03-01 23:06:11 UTC Initial Report
2024-06-02 14:00:00 UTC Patches released
2024-06-10 14:00:00 UTC Fixed packages released
END