===================================================================== CERT-Renater Note d'Information No. 2022/VULN346 _____________________________________________________________________ DATE : 22/09/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Squid versions 4.9 up to and including 5.6. ===================================================================== https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq https://www.openwall.com/lists/oss-security/2022/09/23/2 _____________________________________________________________________ SQUID-2022:1 Exposure of Sensitive Information in Cache Manager Moderate yadij published GHSA-rcg9-7fqm-83mq Package squid (Squid) Affected versions 4.9-4.17, 5.0.6-5.6 Patched versions 5.7 Description Problem Description: Due to inconsistent handling of internal URIs Squid is vulnerable to Exposure of Sensitive Information about clients using the proxy. Severity: This problem allows a trusted client to directly access cache manager information bypassing the manager ACL protection. The available cache manager information contains records of internal network structure, client credentials, client identity and client traffic behaviour. CVSS Score of 6.4 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:X/RC:C/CR:M/IR:X/AR:X/MAV:X/MAC:L/MPR:L/MUI:X/MS:X/MC:H/MI:X/MA:X&version=3.1 Updated Packages: This bug is fixed by Squid version 5.7. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch Squid 5: http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. Determining if your version is vulnerable: Squid older than 4.9 are not vulnerable. All Squid-4.9 up to and including 4.14 have not been tested, but should be assumed to be vulnerable. All Squid-4.15 up to and including 4.17 are vulnerable. All Squid-5.0.6 up to and including 5.6 are vulnerable. Workaround: Add the following to squid.conf: acl manager url_regex +i ^[^:]+://[^/]+/squid-internal-mgr/ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@lists.squid-cache.org mailing list is your primary support point. For subscription details see http://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used http://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@lists.squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. Credits: This vulnerability was discovered by Mikhail Evdokimov (aka konata). Initial fix by Amos Jeffries of Treehouse Networks Ltd. Revision history: 2022-04-17 18:30:52 UTC Initial Report 2022-08-08 11:01:47 UTC Initial Fix released 2022-09-23 05:00:00 UTC Advisory Released END Severity Moderate 6.5/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID CVE-2022-41317 Weaknesses CWE-200 CWE-213 CWE-284 CWE-285 CWE-668 CWE-732 CWE-863 ____________________________________________________________ __________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2022:2 __________________________________________________________________ Advisory ID: | SQUID-2022:2 Date: | September 23, 2022 Summary: | Buffer Over Read | in SSPI and SMB Authentication Affected versions: | Squid 2.5.STABLE1 -> 2.7.STABLE9 | Squid 3.x -> 3.5.28 | Squid 4.x -> 4.17 | Squid 5.x -> 5.6 Fixed in version: | Squid 5.7 __________________________________________________________________ __________________________________________________________________ Problem Description: Due to an incorrect integer overflow protection Squid SSPI and SMB authentication helpers are vulnerable to a Buffer Overflow attack. __________________________________________________________________ Severity: This problem allows a remote client to perform a Denial of Service attack when Squid is configured to use NTLM or Negotiate authentication with one of the vulnerable helpers. This problem allows a remote client to extract sensitive information from machine memory when Squid is configured to use NTLM or Negotiate authentication with one of the vulnerable helpers. The scope of this information includes user credentials in decrypted forms, and also arbitrary memory areas beyond Squid and the helper itself. This attack is limited to authentication helpers built using the libntlmauth library shipped by Squid. CVSS Score of 8.2 __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 5.7. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 4: Squid 5: If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: Run this command to view the configured authentication helpers: (squid -k parse 2>&1) | grep "Processing: auth_param" Your Squid may be vulnerable if the result contains any of the following: ntlm_smb_lm_auth ntlm_sspi_auth ntlm_fake_auth negotiate_sspi_auth All Squid-2.5 up to and including 4.17 have vulnerable helpers. All Squid-5.x up to and including 5.6 have vulnerable helpers. __________________________________________________________________ Workaround: Either, Disable use of the vulnerable authentication scheme. Or, Replace the vulnerable helper with an alternative helper for the same authentication scheme. Or, Replace the vulnerable helper binary with one built from an updated or patched Squid release. The remainder of Squid does not need updating to fix this. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the mailing list is your primary support point. For subscription details see . For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: This vulnerability was discovered by LWIC. Fixed by Amos Jeffries of Treehouse Networks Ltd, based on patch by LWIC. __________________________________________________________________ Revision history: 2019-03-17 14:24:42 UTC Initial Report 2022-08-08 12:16:43 UTC Fix Released 2022-09-23 05:00:00 UTC Advisory Released __________________________________________________________________ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================