[squid-users] [squid-announce] [ADVISORY] SQUID-2015:2 Improper Protection of Alternate Path

Amos Jeffries squid3 at treenet.co.nz
Thu Jul 9 03:39:29 UTC 2015


__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2015:2
__________________________________________________________________

Advisory ID:            SQUID-2015:2
Date:                   July 06, 2015
Summary:                Improper Protection of Alternate Path
Affected versions:      Squid 0.x -> 3.5.5
Fixed in version:       Squid 3.5.6
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
__________________________________________________________________

Problem Description:

 Squid configured with cache_peer and operating on explicit proxy
 traffic does not correctly handle CONNECT method peer responses.

__________________________________________________________________

Severity:

 The bug is important because it allows remote clients to bypass
 security in an explicit gateway proxy.

 However, the bug is exploitable only if you have configured
 cache_peer to receive CONNECT requests.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 3.5.6.

 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch

Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid versions with cache_peer omitted from squid.conf are
 not vulnerable to the problem.

 All Squid versions with squid.conf containing
 "nonhierarchical_direct on" are not vulnerable to the problem.

 All Squid-3.1 and later with nonhierarchical_direct omitted from
 squid.conf are not vulnerable to the problem.

 All other unpatched Squid configured to use a cache_peer without
 the "originserver" option are vulnerable to the problem.

__________________________________________________________________

Workaround:

 For Squid-3.0 and older ensure squid.conf contains
 "nonhierarchical_direct on".

 For Squid-3.1 and newer remove nonhierarchical_direct from
 squid.conf.

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-users at lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 http://www.squid-cache.org/Support/mailing-lists.html.

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used
 http://bugs.squid-cache.org/.

 For reporting of security sensitive bugs send an email to the
 squid-bugs at lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 The vulnerability was reported and fixed by Alex Rousskov, The
 Measurement Factory.

__________________________________________________________________

Revision history:

 2015-06-16 16:54 GMT Initial Report and Patches Released
 2015-05-03 15:37 GMT Packages Released
__________________________________________________________________
END
_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce


More information about the squid-users mailing list