[squid-announce] [ADVISORY] SQUID-2021:6 Improper Certificate Validation in TLS
Amos Jeffries
squid3 at treenet.co.nz
Mon Oct 4 01:59:26 UTC 2021
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2021:1
__________________________________________________________________
Advisory ID: | SQUID-2021:6
Date: | October 3, 2021
Summary: | Improper Certificate Validation in TLS
Affected versions: | Squid 5.0.6 -> 5.1
Fixed in version: | Squid 5.2
__________________________________________________________________
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41611>
__________________________________________________________________
Problem Description:
When validating an origin server or peer certificate, Squid may
incorrectly classify certain certificates as trusted.
__________________________________________________________________
Severity:
This problem allows a remote server to obtain security trust
when the trust is not valid. This indication of trust may be
passed along to clients allowing access to unsafe or hijacked
services.
This problem is guaranteed to occur when multiple CA have
signed the TLS server certificate. It may also occur in cases
of broken server certificate chains.
CVSS Score of 8.4
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:H/MI:H/MA:X&version=3.1>
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 5.2.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 5:
<http://www.squid-cache.org/Versions/v5/changesets/squid-5-533b4359f16cf9ed15a6d709a57a4b06e4222cfe.patch>
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid-4 and older are not vulnerable.
All Squid-5.0.1 up to and including 5.0.5 are not vulnerable.
All Squid-5.0.6 up to and including 5.1 are vulnerable.
__________________________________________________________________
Workaround:
The only workaround is complete denial to TLS and HTTPS servers
publishing affected certificate chains. The set of affected
servers varies over time and is left out of this document.
acl vulnerableDomains dstdomain .example.net
http_access deny vulnerableDomains
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the <squid-users at lists.squid-cache.org> mailing list is
your primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<https://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
<squid-bugs at lists.squid-cache.org> mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
This vulnerability was discovered by Jean-Paul Larocque of
RodeoTV, LLC.
Fixed by The Measurement Factory.
__________________________________________________________________
Revision history:
2021-09-07 02:54:48 UTC Initial Report
2021-09-24 20:10:37 UTC Patches Released
2021-10-03 00:00:00 UTC Packages Released
__________________________________________________________________
END
More information about the squid-announce
mailing list