[squid-dev] Squid does not accept WCCP of Cisco router since CVE 2021-28116

Andrej Mikus a-squid at mikus.sk
Sun Dec 5 23:11:35 UTC 2021 

Hi,

I would like to find some information about wccp servers (routers,
firewalls, etc) that are officially supported and therefore tested for
compatibility. I thought there would be this kind of page published in
squid wiki but failed to locate one.

Since the recent update squid does not accept wccp packets sent by Cisco
IOS 15.8(3)M2 claiming there is duplicate security definition.

Is there any way to get in touch with the developper responsible for the
security patch and request his comments? I do not have access to other
Cisco hardware, and I would like to know if the update was confirmed
working for example against a CSR1000v.

I have first reported the issue to Ubuntu since I am running 18.04, but
today confirmed that recent versions of squid fail as well. Prior
creating a new entry at https://bugs.squid-cache.org/ I would appreciate
your guidance.

Regards
Andrej Mikus


----- Forwarded message from amk <1952158 at bugs.launchpad.net> -----

Date: Sun, 05 Dec 2021 22:21:51 -0000
From: amk <1952158 at bugs.launchpad.net>
To: launchpad at mikus.sk
Subject: [Bug 1952158] Re: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12

4.13-10ubuntu5 in 21.10 and 5.2-1ubuntu1 in jammy are failing as well,
with debug log different when compared to version 3 involved here:

2021/12/05 19:58:41.705 kid1| 80,6| wccp2.cc(1580) wccp2HereIam: wccp2HereIam: Called
2021/12/05 19:58:41.705 kid1| 80,5| wccp2.cc(1599) wccp2HereIam: wccp2HereIam: sending to service id 0
2021/12/05 19:58:41.705 kid1| 80,3| wccp2.cc(1630) wccp2HereIam: Sending HereIam packet size 144
2021/12/05 19:58:41.707 kid1| 80,6| wccp2.cc(1202) wccp2HandleUdp: wccp2HandleUdp: Called.
2021/12/05 19:58:41.707 kid1| 80,3| wccp2.cc(1226) wccp2HandleUdp: Incoming WCCPv2 I_SEE_YOU length 128.
2021/12/05 19:58:41.707 kid1| ERROR: Ignoring WCCPv2 message: duplicate security definition
    exception location: wccp2.cc(1249) wccp2HandleUdp

This looks like a problem with squid itself, the packet does not have
duplicate security definition. In the code at http://www.squid-
cache.org/Doc/code/wccp2_8cc_source.html I miss some debug output in the
loop processing the packet /* Go through the data structure */ so would
need to rebuild the package or to involve debugger.

I was not able to find any documentation of squid listing
supported/tested wccp servers but at this point this looks like an issue
to be reported upstream. There is no reason to consider wccp packets
from IOS 15.8(3)M2 invalid.

-- 
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1952158


Bug description:
  WCCP peering between squid and CIsco IOS 15.8(3)M2 stopped as of

  Start-Date: 2021-10-07  06:27:37
  Commandline: /usr/bin/unattended-upgrade
  Upgrade: squid-common:amd64 (3.5.27-1ubuntu1.11, 3.5.27-1ubuntu1.12)

  1) The release of Ubuntu you are using: 18.04
  2) The version of the package you are using: 3.5.27-1ubuntu1.12
  3) What you expected to happen:

  Unattended upgrade will not break working setup. Valid wccp packets
  from the router continue to get accepted and processed by squid.

  4) What happened instead

  The squid cache.log is logging a loop of ERROR messages:

  ERROR: Ignoring WCCPv2 message: ntohl(wccp2_i_see_you.type) == WCCP2_I_SEE_YOU
  ERROR: Ignoring WCCPv2 message: !security_info
  ERROR: Ignoring WCCPv2 message: !security_info
  ERROR: Ignoring WCCPv2 message: !security_info

  Router logged Oct  7 04:28:45.918: %WCCP-1-SERVICELOST: Service web-cache lost on WCCP client x.x.x.x
  Since then debug wccp logs periodically WCCP-EVNT:IPv4:S0: HIA from x.x.x.x with bad rcv_id 0 (expected yy)

  wccp service detail shows: WCCP Client information: State: NOT Usable
  (initializing)

----- End forwarded message -----

More information about the squid-dev mailing list