[squid-announce] [ADVISORY] SQUID-2014:3 Buffer overflow in SNMP processing

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 2 06:43:01 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2014:3
__________________________________________________________________

Advisory ID:            SQUID-2014:3
Date:                   September 15, 2014
Summary:                Buffer overflow in SNMP processing
Affected versions:      Squid 3.x -> 3.4.7
Fixed in version:       Squid 3.4.8
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2014_3.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6270
__________________________________________________________________

Problem Description:

 Due to incorrect buffer management Squid can be caused by an
 attacker to write outside its allocated SNMP buffer.

__________________________________________________________________

Severity:

 The bug is important because it allows remote attackers to crash
 Squid, causing a disruption in service.  However, the bug is
 exploitable only if you have configured Squid to receive SNMP
 messages.

 Sites that do not use SNMP are not vulnerable.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 3.4.8

 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.0:
http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9202.patch

Squid 3.1:
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10489.patch

Squid 3.2:
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11829.patch

Squid 3.3:
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12682.patch

Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13172.patch


 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid built with --disable-snmp are not vulnerable to the
 problem.

 All Squid operating with "snmp_port 0" in squid.conf are not
 vulnerable to the problem.

 All Squid-3.x operating with snmp_port omitted from squid.conf
 are not vulnerable to the problem.

 All Squid-2.x operating with snmp_port omitted from squid.conf
 are vulnerable to the problem.

 All unpatched Squid versions up to and including 3.4.7 with
 snmp_port configured to a non-0 value are vulnerable to the
 problem.

__________________________________________________________________

Workaround:

Either,

 Configure the firewall controlling access to Squid service such
 that only specific trusted sources can deliver SNMP packets to
 the Squid SNMP listening port.

Or,

 Disable SNMP. Which may be done in any of the following ways:

 * Build Squid with ./configure --disable-snmp

 * For Squid-2.x add the following directive to squid.conf file:
    snmp_port 0

 * For Squid-3.x remove from squid.conf (and include'd files) any of
   the following directives which are present:

     snmp_port
     snmp_access
     snmp_incoming_address
     snmp_outgoing_address

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-users at squid-cache.org mailing list is your primary
 support point. For subscription details see
 http://www.squid-cache.org/Support/mailing-lists.html.

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used
 http://bugs.squid-cache.org/.

 For reporting of security sensitive bugs send an email to the
 squid-bugs at squid-cache.org mailing list. It's a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 The vulnerability was discovered and fixed by Sebastian Krahmer
 of the OpenSUSE Project.

__________________________________________________________________

Revision history:

 2014-09-09 12:01 GMT Initial Report
 2014-09-10 06:12 GMT CVE Assignment
 2014-09-15 08:15 GMT Patches and Packages Released
__________________________________________________________________
END
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJULPP1AAoJELJo5wb/XPRjqrkH/3Z4FT9M4u/vGeDecHV21k2L
z39Id7Bm/2iKuFQonSfjJOqv5elPS/RipWMCkchFWX2/uJJgG7eIUSnftTRdSxaC
mbQ+pU9Xc+0FWNZG6o0WQOQZLwHgqjM0wympKyf0hRiIuijJYrwDr/qzjZyBs+y5
If5oQ0ZPfiRscz9nt7kndUwtIio9ba1Qhx7csraH9s5ArZq7azJoY3Ujf54R/gDf
TDi0m0NQa/bIqZzFzeKwIyYj/AAGFCmTdEwcWhRtSq30GM8KxlR7hQDpYwDPyasf
zgP8RaPYrO2htIj5HIbe73q8UvjUbIWugu8P0kt1oTBQsI6aZ+bBb9MJ2MoOc/Y=
=z+Sx
-----END PGP SIGNATURE-----

More information about the squid-announce mailing list