________________________________
Squid Proxy Cache Security Update Advisory SQUID-2024:3
________________________________
Advisory ID: SQUID-2024:3
Date: Jun 10, 2024
Summary: Denial of Service in ESI processing
Affected versions: Squid 3.0 -> 3.5.28
Squid 4.0 -> 4.16
Squid 5.0 -> 5.9
Squid 6.0 -> 6.9
Fixed in version:Squid 6.10
________________________________
Problem Description:
Due to an Out-of-bounds Write error when assigning ESI variables,
Squid is susceptible to a Memory Corruption error, which can
result in a Denial of Service.
________________________________
Severity:
This problem allows a trusted server to perform a Denial of Service attack on
Squid while processing ESI response content.
This affects all domains being serviced by the proxy and all clients using
it during the affected period.
The trigger for this issue are values which clients might normally expect to use
in valid ESI response content. As such admin should expect this issue to be
already occurring without any malicious 0-day attack existing.
This issue is limited to Squid acting as reverse proxy where ESI
feature has been
enabled at build time
CVSS Score of 6.3
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H&version=3.1>
________________________________
Updated Packages:
This bug is fixed by Squid version 6.10.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 3.x, 4, or 5:
<https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
________________________________
Determining if your version is vulnerable:
All Squid built with --disable-esi are not vulnerable.
All Squid-3.0 versions built without --enable-esi are not
vulnerable.
All Squid-3.x versions built with --enable-esi are vulnerable.
All Squid-4.x built with --enable-esi are vulnerable.
All Squid-5.x built with --enable-esi are vulnerable.
All Squid-6.x up to and including 6.9 built with --enable-esi
are vulnerable
________________________________
Workaround:
* Build Squid with --disable-esi
________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@xxxxxxxxxxxxxxxxxxxxx mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@xxxxxxxxxxxxxxxxxxxxx mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
________________________________
Credits:
This vulnerability was discovered by Joshua Rogers of Opera Software.
Fixed by Francesco Chemolli
________________________________
Revision history:
2021-03-01 23:06:11 UTC Initial Report
2024-06-02 14:00:00 UTC Patches released
2024-06-10 14:00:00 UTC Fixed packages released
________________________________
END
_______________________________________________
squid-announce mailing list
squid-announce@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-announce
