===================================================================== CERT-Renater Note d'Information No. 2023/VULN429 _____________________________________________________________________ DATE : 24/10/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running squid versions prior to 6.4. ===================================================================== https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w _____________________________________________________________________ SQUID-2023:1 Request/Response smuggling in HTTP/1.1 and ICAP Critical yadij published GHSA-j83v-w3p4-5cqh Package squid Affected versions 2.6-6.3 Patched versions 6.4 Description Due to chunked decoder lenience Squid is vulnerable to Request/Response smuggling attacks when parsing HTTP/1.1 and ICAP messages. Severity: This problem allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems when the upstream server interprets the chunked encoding syntax differently from Squid. This attack is limited to the HTTP/1.1 and ICAP protocols which support receiving Transfer-Encoding:chunked. CVSS Score of 9.3 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N&version=3.1 Updated Packages: This bug is fixed by Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 5: http://www.squid-cache.org/Versions/v5/SQUID-2023_1.patch Squid 6: http://www.squid-cache.org/Versions/v6/SQUID-2023_1.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. Determining if your version is vulnerable: Squid older than 5.1 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.3 are vulnerable. Workaround: ICAP issues can be reduced by ensuring only trusted ICAP services are used, with TLS encrypted connections (ICAPS extension). There is no workaround for the HTTP Request Smuggling issue. Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@lists.squid-cache.org mailing list is your primary support point. For subscription details see http://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used https://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@lists.squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. Credits: This vulnerability was discovered by Keran Mu and Jianjun Chen, from Tsinghua University and Zhongguancun Laboratory. Fixed by Amos Jeffries of Treehouse Networks Ltd. Revision history: 2023-09-01 04:34:00 UTC Initial Report 2023-10-01 08:43:00 UTC Patch Available END Severity Critical 9.3/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Changed Confidentiality High Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N CVE ID No known CVE Weaknesses CWE-444 _____________________________________________________________________ SQUID-2023:3 Denial of Service in HTTP Digest Authentication Critical yadij published GHSA-phqj-m8gv-cq4 Package squid Affected versions 3.2.0.1-5.9, 6.0-6.3 Patched versions 6.4 Description Due to a buffer overflow bug Squid is vulnerable to a Denial of Service attack against HTTP Digest Authentication Severity: This problem allows a remote client to perform buffer overflow attack writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication. On machines with advanced memory protections this will result in a Denial of Service against all users of the Squid proxy. CVSS Score of 9.9 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H&version=3.1 Updated Packages: This bug is fixed by Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 5: http://www.squid-cache.org/Versions/v5/SQUID-2023_3.patch Squid 6: http://www.squid-cache.org/Versions/v6/SQUID-2023_3.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. Determining if your version is vulnerable: Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.0.6 up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.3 are vulnerable. Workaround: Disable HTTP Digest authentication until Squid can be upgraded or patched. Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@lists.squid-cache.org mailing list is your primary support point. For subscription details see http://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used https://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@lists.squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. Credits: This vulnerability was discovered by Joshua Rogers of Opera Software. Fixed by Alex Bason. Revision history: 2021-03-22 00:59:20 UTC Initial Report 2023-10-13 17:31:11 UTC Patch Published END Severity Critical 9.9/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Changed Confidentiality Low Integrity Low Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H CVE ID No known CVE Weaknesses CWE-120 CWE-122 Credits @nonsleepr nonsleepr Remediation developer @MegaManSec MegaManSec Finder _____________________________________________________________________ SQUID-2023:5 Denial of Service in FTP High yadij published GHSA-2g3c-pg7q-g59w Package squid Affected versions 5.0.3-5.9, 6.0-6.3 Patched versions 6.4 Description Due to an Incorrect Conversion between Numeric Types bug Squid is vulnerable to a Denial of Service attack against FTP Native Relay input validation. Due to an Incorrect Conversion between Numeric Types bug Squid is vulnerable to a Denial of Service attack against ftp:// URL validation and access control. Severity: This problem allows a remote client to perform Denial of Service when sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input. This issue is triggered during access control security checks, meaning clients may not have been permitted to use the proxy yet. FTP support is always enabled and cannot be disabled completely. CVSS Score of 8.6 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H&version=3.1 Updated Packages: This bug is fixed by Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 5: http://www.squid-cache.org/Versions/v5/SQUID-2023_5.patch Squid 6: http://www.squid-cache.org/Versions/v6/SQUID-2023_5.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. Determining if your version is vulnerable: Squid older than 5.0.3 are not vulnerable. All Squid-5.0.4 up to and including 5.6 are vulnerable. All Squid-6.x up to and including 6.3 are vulnerable. Workaround: The FTP Native Relay input validation vector can be secured by removing all ftp_port directives from squid.conf. There are no workarounds to avoid the ftp:// URL validation and access control vector. Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@lists.squid-cache.org mailing list is your primary support point. For subscription details see http://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used https://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@lists.squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. Credits: This vulnerability was discovered by Joshua Rogers of Opera Software. Fixed by The Measurement Factory. Revision history: 2023-10-12 11:53:02 UTC Initial Report END Severity High 8.6/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Changed Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVE ID No known CVE Weaknesses CWE-681 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================