Discussion:
Squid Proxy multiple vulnerabilities
(too old to reply)
Amos Jeffries
2018-10-28 16:13:40 UTC
Permalink
Several vulnerabilities have recently been found in Squid HTTP proxy.

CVE have been requested and awaiting assignment by the DWF project.



* An Cross-Site Scripting vulnerability (CWE-74, CWE-79) has been found
in the TLS error handling by Squid.

Several fields of X.509 certificates can contain HTML syntax and were
not being correctly quoted/encoded before inserting into HTML error
pages generated by the proxy. This issue allows an attacker to craft a
X.509 certificate that both triggers an error and alters how that error
is displayed by a client such as a Browser.

Affected Versions:
Squid 3.1.12.1 -> 3.1.23
Squid 4.0 -> 4.3

Squid 3.1.12 and older including Squid-2.x are not vulnerable.


The patch for Squid-3.5 should apply relatively cleanly to all v3.x
affected versions.

<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch>

<http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch>

<http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch>

<http://www.squid-cache.org/Advisories/SQUID-2018_4.txt>



* A small memory leak (CWE-400, CWE-401, CWE-772) in processing of SNMP
packets can be abused by remote attackers to consume large amounts of
memory over a short time.

Under testing this lead to Squid crashing and direct denial of service
to clients using the proxy. Also, in Linux environments with default
virtual memory allocation policies it lead to complete consumption of
the machines available memory and denial of service to other
applications using the same server. In these latter situations a hard
restart of the server may be necessary to recover.

Affected versions:
Squid 3.2.0.10 -> 3.5.28
Squid 4.x -> 4.3

Squid 3.2.0.9 and older (including Squid-2.x) are not vulnerable.

This issue is limited to Squid receiving SNMP traffic. So builds using
--disable-snmp are not at all vulnerable.

Builds not configured to receive SNMP (default, absent, or '0' values
for snmp_port) are not immediately vulnerable, but may becomes so with
simple configuration changes.


The patch for Squid-3.5 should apply relatively cleanly to all v3.x
affected versions.

<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-bc9786119f058a76ddf0625424bc33d36460b9a2.patch>

<http://www.squid-cache.org/Versions/v4/changesets/squid-4-983c5c36e5f109512ed1af38a329d0b5d0967498.patch>

<http://www.squid-cache.org/Versions/v5/changesets/squid-5-644131ff1e00c1895d77561f561d29c104ba6b11.patch>

<http://www.squid-cache.org/Advisories/SQUID-2018_5.txt>



Amos Jeffries
The Squid Software Foundation
Amos Jeffries
2018-10-28 17:10:02 UTC
Permalink
Post by Amos Jeffries
Several vulnerabilities have recently been found in Squid HTTP proxy.
CVE have been requested and awaiting assignment by the DWF project.
* An Cross-Site Scripting vulnerability (CWE-74, CWE-79) has been found
in the TLS error handling by Squid.
Several fields of X.509 certificates can contain HTML syntax and were
not being correctly quoted/encoded before inserting into HTML error
pages generated by the proxy. This issue allows an attacker to craft a
X.509 certificate that both triggers an error and alters how that error
is displayed by a client such as a Browser.
Squid 3.1.12.1 -> 3.1.23
Apologies, these versions are also affected:

Squid 3.2.0.4 -> 3.5.28
Post by Amos Jeffries
Squid 4.0 -> 4.3
Squid 3.1.12 and older including Squid-2.x are not vulnerable.
The patch for Squid-3.5 should apply relatively cleanly to all v3.x
affected versions.
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch>
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch>
<http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch>
<http://www.squid-cache.org/Advisories/SQUID-2018_4.txt>
Amos
Hanno Böck
2018-10-28 17:21:53 UTC
Permalink
On Mon, 29 Oct 2018 05:13:40 +1300
Post by Amos Jeffries
<http://www.squid-cache.org/Advisories/SQUID-2018_4.txt>
That gives a 404.

Also there's another yet unfixed vulnerability: The webpage and the
downloads are not using HTTPS, which makes them vulnerable to
man-in-the-middle attacks ;-)
--
Hanno Böck
https://hboeck.de/

mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Amos Jeffries
2018-10-28 18:43:50 UTC
Permalink
Post by Hanno Böck
On Mon, 29 Oct 2018 05:13:40 +1300
Post by Amos Jeffries
<http://www.squid-cache.org/Advisories/SQUID-2018_4.txt>
That gives a 404.
YMMV as third-party mirrors are still updating in some parts.
Post by Hanno Böck
Also there's another yet unfixed vulnerability: The webpage and the
downloads are not using HTTPS, which makes them vulnerable to
man-in-the-middle attacks ;-)
This is intentional. We do not restrict to those able to access HTTPS.

Also, notice that issue is most relevant to installations routinely
MITM'ing the HTTPS protocol.


AYJ
面和毅
2018-10-28 23:35:17 UTC
Permalink
Hi,

It looks like links are working fine now.

http://www.squid-cache.org/Advisories/SQUID-2018_4.txt
http://www.squid-cache.org/Advisories/SQUID-2018_5.txt

OMO
Post by Hanno Böck
On Mon, 29 Oct 2018 05:13:40 +1300
Post by Amos Jeffries
<http://www.squid-cache.org/Advisories/SQUID-2018_4.txt>
That gives a 404.
Also there's another yet unfixed vulnerability: The webpage and the
downloads are not using HTTPS, which makes them vulnerable to
man-in-the-middle attacks ;-)
--
Hanno Böck
https://hboeck.de/
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
--
Kazuki Omo: ka-***@sios.com

OSS&Security Evangelist
Senior Architect
Vice President & Deputy Group Manager
Research and Development Dept. 2
CISSP #366942
Tel: +819026581386
Karol Babioch
2018-10-31 10:37:23 UTC
Permalink
Hi,
Post by Amos Jeffries
Several vulnerabilities have recently been found in Squid HTTP proxy.
Thank you very much for your announcement and the attached patches.
Post by Amos Jeffries
CVE have been requested and awaiting assignment by the DWF project.
Is there any update and/or ETA on this ;-)?

Best regards,
Karol Babioch
--
OpenPGP: 4687 CA1E A0F7 3B1E BB7D E179 DF49 418F 6267 267B

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG NÃŒrnberg)
Karol Babioch
2018-11-09 12:45:01 UTC
Permalink
Hi all,
Post by Karol Babioch
Post by Amos Jeffries
CVE have been requested and awaiting assignment by the DWF project.
Is there any update and/or ETA on this ;-)?
Since the assignment from DWF hasn't happened yet, I've requested CVEs
via Mitre in the mean time. They have assigned CVE-2018-19131 and
CVE-2018-19132 for this.

Best regards,
Karol Babioch
--
OpenPGP: 4687 CA1E A0F7 3B1E BB7D E179 DF49 418F 6267 267B

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG NÃŒrnberg)
Loading...