On 01/02/11 21:48, Giles Coochey wrote:
On 01/02/2011 07:36, Amos Jeffries wrote:
The whole of section 6.1 is a major security vulnerability "don't do
it!" situation. Read CVE-2009-0801 for an explanation of what malware
can do to trivially spread themselves across your whole client base.
The currently available Squid do permit it with loud failure warnings
in cache.log. We are planning on fully disabling the security hole in
the near future.
Section 6.1 was written 6-8 years ago... I can't say that I fully
understand CVE2009-0801... Can you elaborate on the security
vulnerability and how it applies to 6.1??
The CVE is applicable to all proxies doing interception. They generate
their URL from the Host: header instead of the TCP link details from the
client. Neither being a reliable source of information. The one saving
grace so far is that the client TCP IP gets logged and countermeasures
can be placed to block nasties.
In the case of remote NAT the TCP link details are themselves wrong.
Indicating that the router IP is the client origin. So there is zero
traceability for a network-wide poisoning attack with zero ways to
protect against it.
The problem has apparently been known since around the time NAT
interception was created. 2009 is merely the year infections were
identified that use it. There is no reliable fix.
All we can do is stress "avoid NAT" and take the (slightly) more
difficult road of configuring the network to use so called "zero-conf"
auto-detection of the proxy. It is worth it in both medium and long term.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.10
Beta testers wanted for 3.2.0.4
