[squid-announce] [ADVISORY] SQUID-2023:2 Multiple issues in HTTP response caching
Amos Jeffries
squid3 at treenet.co.nz
Sat Oct 21 11:28:59 UTC 2023
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2023:2
__________________________________________________________________
Advisory ID: | SQUID-2023:2
Date: | October 22, 2023
Summary: | Multiple issues in HTTP response caching.
Affected versions: | Squid 2.x -> 2.7.STABLE9
| Squid 3.x -> 3.5.28
| Squid 4.x -> 4.16
| Squid 5.x -> 5.9
| Squid 6.x -> 6.3
Fixed in version: | Squid 6.4
__________________________________________________________________
Problem Description:
Due to an Improper Handling of Structural Elements
bug Squid is vulnerable to a Denial of Service
attack against HTTP and HTTPS clients.
Due to an Incomplete Filtering of Special Elements
bug Squid is vulnerable to a Denial of Service
attack against HTTP and HTTPS clients.
__________________________________________________________________
Severity:
The limits applied for validation of HTTP Response headers are
applied before caching. Different limits may be in place at the
later cache HIT usage of that response.
The limits applied for validation of HTTP Response headers are
applied to each received server response. Squid may grow a cached
HTTP Response header with HTTP 304 updates beyond the configured
maximum header size.
Subsequent parsing to de-serialize a large header from disk cache
can stall or crash the worker process. Resulting in Denial of
Service to all clients using the proxy.
CVSS Score of 9.6
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H&version=3.1>
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 6.4.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 6:
<http://www.squid-cache.org/Versions/v6/SQUID-2023_2.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
Squid older than v5 have not been tested and are presumed
vulnerable.
Squid v5.x up to and including 5.9 are vulnerable.
Squid v6.x up to and including 6.3 are vulnerable.
__________________________________________________________________
Workaround:
Disable disk caching by removing all cache_dir directives from
squid.conf.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the <squid-users at lists.squid-cache.org> mailing list is your
primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<https://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
<squid-bugs at lists.squid-cache.org> mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
This vulnerability was independently discovered by Joshua Rogers
of Opera Software and by The Measurement Factory.
Fixed by The Measurement Factory.
__________________________________________________________________
Revision history:
2019-09-11: Initial report of header growth caused by HTTP 304.
2021-03-04: Initial report of caching of huge response headers.
2023-04-28 02:40:03 UTC Initial patches released.
_________________________________________________________________
END
More information about the squid-announce
mailing list