[squid-announce] [ADVISORY] SQUID-2016:9 Multiple Denial of Service issues in ESI Response processing.
Amos Jeffries
squid3 at treenet.co.nz
Mon May 9 08:25:41 UTC 2016
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2016:9
__________________________________________________________________
Advisory ID: SQUID-2016:9
Date: May 06, 2016
Summary: Multiple Denial of Service issues
in ESI Response processing.
Affected versions: Squid 3.x -> 3.5.17
Squid 4.x -> 4.0.9
Fixed in version: Squid 4.0.10, 3.5.18
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4556
__________________________________________________________________
Problem Description:
Due to incorrect pointer handling and reference counting Squid is
vulnerable to a denial of service attack when processing ESI
responses.
__________________________________________________________________
Severity:
These problems allow a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
Due to unrelated changes Squid-3.5 has become vulnerable to some
regular ESI server responses also triggering one or more of these
issues.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 3.5.18 and 4.0.10.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 3.4:
<http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch>
Squid 3.5:
<http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid-2.x are not vulnerable.
All Squid built with --disable-esi are not vulnerable.
All Squid-3.0 versions built without --enable-esi are not
vulnerable.
All Squid-3.0 versions built with --enable-esi and used for
reverse-proxy are vulnerable.
All Squid-3.1 and later versions up to and including
Squid-3.5.17 being used for reverse-proxy are vulnerable.
All Squid-3.1 and later versions up to and including
Squid-3.5.17 being used for TLS / HTTPS interception are
vulnerable.
All unpatched Squid-4.0 up to and including Squid-4.0.9
being used as reverse-proxy are vulnerable.
All unpatched Squid-4.0 up to and including Squid-4.0.9
being used as TLS/HTTPS intercept proxy are vulnerable.
__________________________________________________________________
Workaround:
Build Squid with --disable-esi
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users at lists.squid-cache.org mailing list is your
primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
squid-bugs at lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The initial issue was reported by "bfek-18".
Additional issues and attack vector was reported by "@vftable".
Fixed by Amos Jeffries from Treehouse Networks Ltd.
__________________________________________________________________
Revision history:
2016-03-02 15:12:12 UTC Initial Report
2016-05-01 23:48:27 UTC Additional Issue Report
2016-05-06 09:39:48 UTC Patches Released
2016-05-06 13:12:00 UTC Packages Released
2016-05-06 14:46:41 UTC CVE Assignment
__________________________________________________________________
END
More information about the squid-announce
mailing list