[squid-dev] Squid does not accept WCCP of Cisco router since CVE 2021-28116
Alex Rousskov
rousskov at measurement-factory.com
Mon Dec 6 20:34:58 UTC 2021
On 12/5/21 6:11 PM, Andrej Mikus wrote:
> I would like to find some information about wccp servers (routers,
> firewalls, etc) that are officially supported and therefore tested for
> compatibility.
IIRC, there are no such servers/etc. WCCP code quality is low, the code
has been neglected for a long time, and the changes we recently had to
do for CVE 2021-28116 took a very long time, were unfinished and
essentially untested because, in part, those looking for testers could
not get anybody to test the changes and report the results back to us.
> Is there any way to get in touch with the developper responsible for the
> security patch and request his comments?
You are using the right channel for that. I was one of the developers
that were forced to work on code changes for CVE 2021-28116, but I am
not sure I would consider myself "responsible for the patch" (it depends
on your definition of "responsible"). The advisory says the bug was
fixed by Amos; Amos is on this mailing list.
> I do not have access to other
> Cisco hardware, and I would like to know if the update was confirmed
> working for example against a CSR1000v.
I do not think that update was confirmed as working against any WCCP
server. If you are using WCCP, you are relying on a long-neglected
feature. There is no proper support for WCCP code in Squid today IMO.
Alex.
P.S. Squid side of CVE 2021-28116 is at
https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82
> ----- Forwarded message from amk <1952158 at bugs.launchpad.net> -----
>
> Date: Sun, 05 Dec 2021 22:21:51 -0000
> From: amk <1952158 at bugs.launchpad.net>
> To: launchpad at mikus.sk
> Subject: [Bug 1952158] Re: squid does not accept WCCP of Cisco router since 3.5.27-1ubuntu1.12
>
> 4.13-10ubuntu5 in 21.10 and 5.2-1ubuntu1 in jammy are failing as well,
> with debug log different when compared to version 3 involved here:
>
> 2021/12/05 19:58:41.705 kid1| 80,6| wccp2.cc(1580) wccp2HereIam: wccp2HereIam: Called
> 2021/12/05 19:58:41.705 kid1| 80,5| wccp2.cc(1599) wccp2HereIam: wccp2HereIam: sending to service id 0
> 2021/12/05 19:58:41.705 kid1| 80,3| wccp2.cc(1630) wccp2HereIam: Sending HereIam packet size 144
> 2021/12/05 19:58:41.707 kid1| 80,6| wccp2.cc(1202) wccp2HandleUdp: wccp2HandleUdp: Called.
> 2021/12/05 19:58:41.707 kid1| 80,3| wccp2.cc(1226) wccp2HandleUdp: Incoming WCCPv2 I_SEE_YOU length 128.
> 2021/12/05 19:58:41.707 kid1| ERROR: Ignoring WCCPv2 message: duplicate security definition
> exception location: wccp2.cc(1249) wccp2HandleUdp
>
> This looks like a problem with squid itself, the packet does not have
> duplicate security definition. In the code at http://www.squid-
> cache.org/Doc/code/wccp2_8cc_source.html I miss some debug output in the
> loop processing the packet /* Go through the data structure */ so would
> need to rebuild the package or to involve debugger.
>
> I was not able to find any documentation of squid listing
> supported/tested wccp servers but at this point this looks like an issue
> to be reported upstream. There is no reason to consider wccp packets
> from IOS 15.8(3)M2 invalid.
>
More information about the squid-dev
mailing list