[squid-announce] [ADVISORY] SQUID-2016:9 Multiple Denial of Service issues in ESI Response processing.

Amos Jeffries squid3 at treenet.co.nz
Mon May 9 08:25:41 UTC 2016 

__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2016:9
__________________________________________________________________

Advisory ID:        SQUID-2016:9
Date:               May 06, 2016
Summary:            Multiple Denial of Service issues
                    in ESI Response processing.
Affected versions:  Squid 3.x -> 3.5.17
                    Squid 4.x -> 4.0.9
Fixed in version:   Squid 4.0.10, 3.5.18
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4555
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4556
__________________________________________________________________

Problem Description:

 Due to incorrect pointer handling and reference counting Squid is
 vulnerable to a denial of service attack when processing ESI
 responses.

__________________________________________________________________

Severity:

 These problems allow a remote server delivering certain ESI
 response syntax to trigger a denial of service for all clients
 accessing the Squid service.

 Due to unrelated changes Squid-3.5 has become vulnerable to some
 regular ESI server responses also triggering one or more of these
 issues.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 3.5.18 and 4.0.10.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 3.4:
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch>

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid-2.x are not vulnerable.

 All Squid built with --disable-esi are not vulnerable.

 All Squid-3.0 versions built without --enable-esi are not
 vulnerable.

 All Squid-3.0 versions built with --enable-esi and used for
 reverse-proxy are vulnerable.

 All Squid-3.1 and later versions up to and including
 Squid-3.5.17 being used for reverse-proxy are vulnerable.

 All Squid-3.1 and later versions up to and including
 Squid-3.5.17 being used for TLS / HTTPS interception are
 vulnerable.

 All unpatched Squid-4.0 up to and including Squid-4.0.9
 being used as reverse-proxy are vulnerable.

 All unpatched Squid-4.0 up to and including Squid-4.0.9
 being used as TLS/HTTPS intercept proxy are vulnerable.

__________________________________________________________________

Workaround:

 Build Squid with --disable-esi

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users at lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs at lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 The initial issue was reported by "bfek-18".

 Additional issues and attack vector was reported by "@vftable".

 Fixed by Amos Jeffries from Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

 2016-03-02 15:12:12 UTC Initial Report
 2016-05-01 23:48:27 UTC Additional Issue Report
 2016-05-06 09:39:48 UTC Patches Released
 2016-05-06 13:12:00 UTC Packages Released
 2016-05-06 14:46:41 UTC CVE Assignment
__________________________________________________________________
END

More information about the squid-announce mailing list