[squid-announce] [ADVISORY SQUID-2016:6 Multiple issues in ESI processing.

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 21 11:28:59 UTC 2016 

__________________________________________________________________

Squid Proxy Cache Security Update Advisory SQUID-2016:6
__________________________________________________________________

Advisory ID:        SQUID-2016:6
Date:               April 20, 2016
Summary:            Multiple issues in ESI processing.
Affected versions:  Squid 3.x -> 3.5.16
                    Squid 4.x -> 4.0.8
Fixed in version:   Squid 3.5.17, 4.0.9
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2016_6.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4052
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4053
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4054
    CESG REF: 56284998 / VULNERABILITY ID: 393536
__________________________________________________________________

Problem Description:

 Due to buffer overflow issues Squid is vulnerable to a denial
 of service attack when processing ESI responses.

 Due to incorrect input validation Squid is vulnerable to public
 information disclosure of the server stack layout when processing
 ESI responses.

 Due to incorrect input validation and buffer overflow Squid is
 vulnerable to remote code execution when processing ESI
 responses.
__________________________________________________________________

Severity:

 These problems allow ESI components to be used to perform a
 denial of service attack on the Squid service and all other
 services on the same machine.

 Under certain build conditions these problems allow remote
 clients to view large sections of the server memory.

 However, the bugs are exploitable only if you have built and
 configured the ESI features to be used by a reverse-proxy and if
 the ESI components being processed by Squid can be controlled by
 an attacker.
__________________________________________________________________

Updated Packages:

 These bugs are fixed by Squid version 3.5.17 and 4.0.9.

 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.2:
 <http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11841.patch>

Squid 3.3:
 <http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12697.patch>

Squid 3.4:
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch>

Squid 3.5:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

Use the command 'squid -v' to view version and build details of
your proxy;

 All Squid 2.x are not vulnerable.

 All Squid built with --disable-esi are not vulnerable.

 All Squid built without --enable-esi are not vulnerable.


Check squid.conf or use the (version 3.4+) command
  (squid -k parse 2>&1) | grep "Processing: http.*_port"
to view the active configuration settings for your proxy;

 Unpatched Squid 3.x and 4.x built with --enable-esi and
 configured with 'accel' or 'vhost' or 'defaultsite=' or
 'ssl-bump' on an http_port or https_port are vulnerable.

 All Squid configured without reverse-proxy or ssl-bump are
 not vulnerable.

__________________________________________________________________

Workaround:

 Build Squid with --disable-esi if ESI is not needed.

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-users at squid-cache.org mailing list is your
 primary support point. For subscription details see
 http://www.squid-cache.org/Support/mailing-lists.html.

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used
 http://bugs.squid-cache.org/.

 For reporting of security sensitive bugs send an email to the
 squid-bugs at squid-cache.org mailing list. It is a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 The vulnerability was reported by CESG.

 Fixed by Amos Jeffries, Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

 2016-04-15 10:54:39 GMT Initial Report
 2016-04-20 03:54:54 GMT Patches Released
 2016-04-20 13:42:00 GMT Packages Released
 2016-04-20 15:47:01 GMT CVE Assigned
__________________________________________________________________
END

More information about the squid-announce mailing list