[squid-users] [squid-announce] [ADVISORY] SQUID-2020:8 HTTP(S) Request Splitting

Amos Jeffries squid3 at treenet.co.nz
Sun Aug 23 08:17:24 UTC 2020 

__________________________________________________________________

Squid Proxy Cache Security Update Advisory SQUID-2020:8
__________________________________________________________________

Advisory ID:       | SQUID-2020:8
Date:              | August 23, 2020
Summary:           | HTTP(S) Request Splitting.
Affected versions: | Squid 2.7 -> 2.7.STABLE9
                   | Squid 3.x -> 3.5.28
                   | Squid 4.x -> 4.12
                   | Squid 5.x -> 5.0.3
Fixed in version:  | Squid 4.13, 5.0.4
__________________________________________________________________

  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15811>
__________________________________________________________________

Problem Description:

 Due to incorrect data validation Squid is vulnerable to HTTP
 Request Splitting attacks against HTTP and HTTPS traffic. This
 leads to cache poisoning.

__________________________________________________________________

Severity:

 This problem is serious because it allows any client, including
 browser scripts, to bypass local security and poison the browser
 cache and any downstream caches with content from an arbitrary
 source.

CVSS Score of 9.3
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N/E:F/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:N&version=3.1>

__________________________________________________________________

Updated Packages:

This bug is fixed by Squid versions 4.13 and 5.0.4.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid configured with "relaxed_header_parser off" are not vulnerable.

 All Squid-3.x up to and including 3.5.28 with
 relaxed_header_parser configured to "on" or "warn" are
 vulnerable.

 All Squid-3.x up to and including 3.5.28 without
 relaxed_header_parser configured are vulnerable.

 All Squid-4.x up to and including 4.12 with relaxed_header_parser
 configured to "on" or "warn" are vulnerable.

 All Squid-4.x up to and including 4.12 without
 relaxed_header_parser configured are vulnerable.

 All Squid-5.x up to and including 5.0.3 with
 relaxed_header_parser configured to "on" or "warn" are
 vulnerable.

 All Squid-5.x up to and including 5.0.3 without
 relaxed_header_parser configured are vulnerable.

__________________________________________________________________

Workaround:

 Disable the relaxed HTTP parser in squid.conf:

    relaxed_header_parser off

 Note, traffic which does not correctly obey HTTP specifications
 will be rejected instead of converted to standards compliance.

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the <squid-users at lists.squid-cache.org> mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 <squid-bugs at lists.squid-cache.org> mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 This vulnerability was discovered by Regis Leroy (regilero
 from Makina Corpus).

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

 2019-07-24 11:52:51 UTC Initial Report
 2020-01-09 22:07:44 UTC Additional vectors discovered
__________________________________________________________________
END
_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce

More information about the squid-users mailing list