[squid-announce] [ADVISORY] SQUID-2021:6 Improper Certificate Validation in TLS

Amos Jeffries squid3 at treenet.co.nz
Mon Oct 4 01:59:26 UTC 2021


__________________________________________________________________

Squid Proxy Cache Security Update Advisory SQUID-2021:1
__________________________________________________________________

Advisory ID:       | SQUID-2021:6
Date:              | October 3, 2021
Summary:           | Improper Certificate Validation in TLS
Affected versions: | Squid 5.0.6 -> 5.1
Fixed in version:  | Squid 5.2
__________________________________________________________________

   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41611>
__________________________________________________________________

Problem Description:

  When validating an origin server or peer certificate, Squid may
  incorrectly classify certain certificates as trusted.

__________________________________________________________________

Severity:

  This problem allows a remote server to obtain security trust
  when the trust is not valid. This indication of trust may be
  passed along to clients allowing access to unsafe or hijacked
  services.

  This problem is guaranteed to occur when multiple CA have
  signed the TLS server certificate. It may also occur in cases
  of broken server certificate chains.

CVSS Score of 8.4
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:H/MI:H/MA:X&version=3.1>

__________________________________________________________________

Updated Packages:

This bug is fixed by Squid version 5.2.

  In addition, patches addressing this problem for the stable
  releases can be found in our patch archives:

Squid 5:

<http://www.squid-cache.org/Versions/v5/changesets/squid-5-533b4359f16cf9ed15a6d709a57a4b06e4222cfe.patch>

  If you are using a prepackaged version of Squid then please
  refer to the package vendor for availability information on
  updated packages.

__________________________________________________________________

Determining if your version is vulnerable:

  All Squid-4 and older are not vulnerable.

  All Squid-5.0.1 up to and including 5.0.5 are not vulnerable.

  All Squid-5.0.6 up to and including 5.1 are vulnerable.

__________________________________________________________________

Workaround:

  The only workaround is complete denial to TLS and HTTPS servers
  publishing affected certificate chains. The set of affected
  servers varies over time and is left out of this document.

   acl vulnerableDomains dstdomain .example.net
   http_access deny vulnerableDomains

__________________________________________________________________

Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If you install and build Squid from the original Squid sources
  then the <squid-users at lists.squid-cache.org> mailing list is
  your primary support point. For subscription details see
  <http://www.squid-cache.org/Support/mailing-lists.html>.

  For reporting of non-security bugs in the latest STABLE release
  the squid bugzilla database should be used
  <https://bugs.squid-cache.org/>.

  For reporting of security sensitive bugs send an email to the
  <squid-bugs at lists.squid-cache.org> mailing list. It's a closed
  list (though anyone can post) and security related bug reports
  are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

  This vulnerability was discovered by Jean-Paul Larocque of
  RodeoTV, LLC.

  Fixed by The Measurement Factory.

__________________________________________________________________

Revision history:

  2021-09-07 02:54:48 UTC Initial Report
  2021-09-24 20:10:37 UTC Patches Released
  2021-10-03 00:00:00 UTC Packages Released

__________________________________________________________________
END


More information about the squid-announce mailing list