__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2019:9 __________________________________________________________________ Advisory ID: SQUID-2019:9 Date: November 05, 2019 Summary: Cross-Site Request Forgery issue in HTTP Request processing. Affected versions: Squid 2.x -> 2.7.STABLE9 Squid 3.x -> 3.5.28 Squid 4.x -> 4.8 Fixed in version: Squid 4.9 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2019_9.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18677 __________________________________________________________________ Problem Description: Due to incorrect message processing Squid configured with append_domain can inappropriately redirect traffic to origins it should not be delivered to. __________________________________________________________________ Severity: This issue allows attackers to hide origin servers for phishing attacks or malware download URLs. This issue is restricted to proxies with append_domain configured. It is relatively easy for attackers to probe and determine whether a target network proxy has this directive along with its value. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 4.9. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 3.5: <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch> Squid 4: <http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid without append_domain configured are not vulnerable. All Squid-2.x up to and including 2.7.STABLE9 with append_domain configured are vulnerable. All Squid-3.x up to and including 3.5.28 with append_domain configured are vulnerable. All Squid-4.x up to and including 4.8 with append_domain configured are vulnerable. To determine whether append_domain is configured use the command: squid -k parse | grep append_domain __________________________________________________________________ Workarounds: Remove append_domain configuration settings from squid.conf. The append_domain feature is redundant when /etc/resolv.conf is used to determine hostnames. However, please note that use of /etc/resolv.conf may require removal of dns_nameservers and other redundant DNS directives. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@xxxxxxxxxxxxxxxxxxxxx mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://bugs.squid-cache.org/>. For reporting of security sensitive bugs send an email to the squid-bugs@xxxxxxxxxxxxxxxxxxxxx mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: This vulnerability was discovered by Kristoffer Danielsson. Fixed by Amos Jeffries of Treehouse Networks Ltd. __________________________________________________________________ Revision history: 2019-06-26 21:43:49 UTC Initial Report 2019-07-12 03:08:00 UTC Patches Released 2019-11-04 13:43:22 UTC CVE-2019-18677 Assignment __________________________________________________________________ END _______________________________________________ squid-announce mailing list squid-announce@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-announce