Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <583f664a-dc8b-93cb-4b88-2b778d705ee0@treenet.co.nz>
Date: Fri, 6 May 2016 23:11:10 +1200
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: CVE Request: Squid HTTP caching proxy

Hi,
 several serious issues have been reported about the Squid proxy.

(URLs below are now all public, but some of our mirrors may take a few
more hours to pick up the changes).


1) Cache Poisoning issue in HTTP Request handling

Incorrect input validation of HTTP Request messages lets clients use an
absolute-URI on port 80 to bypass the protection previously added to
Squid for CVE-2009-0801 and other related attack vectors. This can lead
to cache poisoning of the Squid and browser caches, bypass of
same-origin and sandbox protections in browsers.

All Squid 2.x are not vulnerable.
All Squid-3.x up to and including 3.2.0.10 are not vulnerable unless
 they have been patched for CVE-2009-0801.
All Squid-3.2.0.11 and later up to and including 3.5.17 are vulnerable.
All Squid-4.x up to and including 4.0.9 are vulnerable.

Advisory at <http://www.squid-cache.org/Advisories/SQUID-2016_7.txt>

Patch at
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch>
(patches for other versions are TBD.)



2) Header Smuggling issue in HTTP Request processing

Incorrect input validation allows a client to smuggle Host header value
past same-origin security protections to cause Squid operating as
interception or reverse-proxy to contact the wrong origin server. Also
poisoning any downstream cache which stores the response.

However, the cache poisoning is only possible if the caching agent
(browser or explicit/forward proxy) is not following RFC 7230 processing
guidelines and lets the smuggled value through.

NP: This appears to be an example of CWE-144, but smuggling just a
specific header value instead of a whole message. The result is the same
as documented for message smuggling but much harder to detect by
observing log content - since there is no unexplained message or
response corruption after the attack has happened.

All 2.x versions up to and including 2.7.STABLE9 are vulnerable.
All 3.x versions up to and including 3.5.17 are vulnerable.
All 4.x versions are not vulnerable.

Advisory at <http://www.squid-cache.org/Advisories/SQUID-2016_8.txt>

Patches at:
 <http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10496.patch>
 <http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11842.patch>
 <http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12698.patch>
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13236.patch>
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14038.patch>



3) Multiple Denial of Service issues in ESI Response processing.

Due to incorrect pointer handling and reference counting Squid is
vulnerable to a denial of service attack when processing ESI responses.

All Squid-2.x are not vulnerable.
Squid-3.x up to and including 3.5.17 and 4.x up to and including 4.0.9
are affected. Vulnerability is configuration and build dependent. see
the advisory for more detail if interested.

Advisory at <http://www.squid-cache.org/Advisories/SQUID-2016_9.txt>

Patches at:
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch>
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch>



Thanks

Amos Jeffries
Squid Software Foundation



Download attachment "signature.asc" of type "application/pgp-signature" (835 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.