__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2002:3 __________________________________________________________________ Advisory ID: SQUID-2002:3 Date: July 3, 2002 Summary: Squid-2.4.STABLE7 released to address a number of security related issues. Affected versions: Squid-2.x up to and including 2.4.STABLE6 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2002_3.txt __________________________________________________________________ Problem Description: squid-2.4.STABLE7 has been released to address a number of security issues in Squid and related software. All users of the Squid HTTP Proxy are strongly encouraged to upgrade. Security related changes in the 2.4.STABLE7 release: - Several bugfixes and cleanup of the Gopher client, both to correct some security issues and to make Squid properly render certain Gopher menus. - Security fixes in how Squid parses FTP directory listings into HTML - FTP data channels are now sanity checked to match the address of the requested FTP server. This to prevent theft or injection of data. See the new ftp_sanitycheck directive if this sanity check is not desired. - The MSNT auth helper has been updated to v2.0.3+fixes for buffer overflow security issues found in this helper. - A security issue in how Squid forwards proxy authentication credentials has been fixed Other changes in the 2.4.STABLE7 release: - Squid now correctly rejects any requests using transfer- encoding. Squid is a HTTP/1.0 proxy and as such does not implement or support transfer-encoding. - Minor changes to support Apple MAC OS X and some other platforms more easily. - The client -T option has been implemented - HTCP related bugfixes in "squid -k reconfigure" For more details on the changes see the descriptions in our patch archive for version Squid-2.4.STABLE6: http://www.squid-cache.org/Versions/v2/2.4/bugs/ ------------------------------------------------------------------ Severity: It is believed that several of the Gopher bug and the FTP directory parsing related bugs can be exploited to allow remote execution of code. The user executing the attack must be allowed to use the proxy for any potential attack to be successful, but it is believed that a remote attacker can use a small amount of social engineering to make an attack without direct access to the proxy. The third issue relating to FTP data channels is minor in nature in most installations, but there may be unfortunate interactions with firewalling policies etc making it a more severe issue than normal. The MSNT auth helper issue is believed to possibly allow remote execution of code in certain configurations. The issue in forwarding of proxy authentication credentials may expose your users private proxy login+password to selected external web sites depending on your configuration. __________________________________________________________________ Updated Packages: The Squid-2.4.STABLE7 release contains fixes for all these problems. You can download the Squid-2.4.STABLE7 release from ftp://ftp.squid-cache.org/pub/squid-2/STABLE/ http://www.squid-cache.org/Versions/v2/2.4/ or the mirrors (may take a while before all mirrors are updated). For a list of mirror sites see http://www.squid-cache.org/Mirrors/ftp-mirrors.html http://www.squid-cache.org/Mirrors/http-mirrors.html Individual patches to the mentioned issues can be found from our patch archive for version Squid-2.4.STABLE6 http://www.squid-cache.org/Versions/v2/2.4/bugs/ The patches should also apply with only a minimal effort to earlier Squid 2.4 versions if required. If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: To determine which version of Squid you are using, run the command squid -v You are likely to be vulnerable to these issues if you are running version 2.4.STABLE6 or earlier. If you are using a binary or otherwise pre-packaged version please verify with your vendor on which versions are affected as some vendors ship earlier versions with the needed patches applied. Note that unless you have upgraded to a version released after 2002-07-01 you are most likely vulnerable to these issues. There is no easy means to determine if your version is affected other than by the Squid version number. You may be vulnerable to the MSNT auth issue if your squid.conf file contains the directive authenticate_program /usr/local/squid/libexec/squid/msnt_auth and you have not upgraded your copy of msnt_auth to a corrected version Note: msnt_auth is sometimes installed as msntauth, and the path may differ depending on the installation method. __________________________________________________________________ Other versions of Squid: Versions prior to the 2.4 series are deprecated, please update to Squid-2.4.STABLE7 if you are using a version older than 2.4. Users of unreleased versions of squid (2.6.DEVEL or 2.5.PRE versions) should run the most recent version available to ensure that security issues arising during the development are addressed as quickly as possible. Furthermore, unreleased versions should not be used in a production environment. __________________________________________________________________ Workarounds: We recommend that you upgrade rather than try to workaround the issues by configuration. To most of the issues there is no easy workarounds that does not severely impact the functionality. The Gopher and FTP issues can be worked around by denying proxying of ftp:// or gopher:// URLs, for example by inserting the following lines at the top of your squid.conf # Workaround for bugs in Squid-2.4.STABLE6 and earlier acl workaround proto FTP Gopher http_access deny workaround The authentication credentials issue only applies if you are using proxy authentication, allow users access to some sites without the need to authenticate and you do not fully trust these sites or the network between these sites and the proxy. To work around the problem make sure your users needs to authenticate on all sites or none. If you are using the msnt_auth authentication helper then you are only vulnerable if you are using the allowusers or denyusers extension of msnt_auth. To work around this defiance of msnt_auth you can use the proxy_auth acl type to specify the valid users and delete the allowusers and denyusers files. __________________________________________________________________ Contact details for the squid project: For installation / upgrade support: Your first point of contact should be your binary package vendor. If your install is built from the original squid sources, then the squid-users@squid-cache.org mailing list is your primary support point. (see <http://www.squid-cache.org/mailing-lists.html> for subscription details). For bug reporting, particularly security related bugs the squid-bugs@squid-cache.org mailing list is the appropriate forum. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. For non security related bugs, the squid bugzilla database should be used <http://www.squid-cache.org/bugs/>. __________________________________________________________________ Credits: Olaf Kirch (formerly @ Caldera), for reporting the FTP and Gopher related issues MARA Systems AB, for sponsoring the development of patches to the FTP, Gopher, authentication and transfer encoding issues. Duane Wessels, for fixes to the MSNT auth helper __________________________________________________________________ Revision history: 2002-07-03 21:10 GMT Initial release __________________________________________________________________ END