[squid-announce] [ADVISORY] SQUID-2023:2 Multiple issues in HTTP response caching

Amos Jeffries squid3 at treenet.co.nz
Sat Oct 21 11:28:59 UTC 2023


__________________________________________________________________

   Squid Proxy Cache Security Update Advisory SQUID-2023:2
__________________________________________________________________

Advisory ID:       | SQUID-2023:2
Date:              | October 22, 2023
Summary:           | Multiple issues in HTTP response caching.
Affected versions: | Squid 2.x -> 2.7.STABLE9
                    | Squid 3.x -> 3.5.28
                    | Squid 4.x -> 4.16
                    | Squid 5.x -> 5.9
                    | Squid 6.x -> 6.3
Fixed in version:  | Squid 6.4
__________________________________________________________________

Problem Description:

  Due to an Improper Handling of Structural Elements
  bug Squid is vulnerable to a Denial of Service
  attack against HTTP and HTTPS clients.

  Due to an Incomplete Filtering of Special Elements
  bug Squid is vulnerable to a Denial of Service
  attack against HTTP and HTTPS clients.

__________________________________________________________________

Severity:

  The limits applied for validation of HTTP Response headers are
  applied before caching. Different limits may be in place at the
  later cache HIT usage of that response.

  The limits applied for validation of HTTP Response headers are
  applied to each received server response. Squid may grow a cached
  HTTP Response header with HTTP 304 updates beyond the configured
  maximum header size.

  Subsequent parsing to de-serialize a large header from disk cache
  can stall or crash the worker process. Resulting in Denial of
  Service to all clients using the proxy.

CVSS Score of 9.6
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H&version=3.1>

__________________________________________________________________

Updated Packages:

This bug is fixed by Squid version 6.4.

  In addition, patches addressing this problem for the stable
  releases can be found in our patch archives:

Squid 6:
  <http://www.squid-cache.org/Versions/v6/SQUID-2023_2.patch>

  If you are using a prepackaged version of Squid then please refer
  to the package vendor for availability information on updated
  packages.

__________________________________________________________________

Determining if your version is vulnerable:

  Squid older than v5 have not been tested and are presumed
  vulnerable.

  Squid v5.x up to and including 5.9 are vulnerable.

  Squid v6.x up to and including 6.3 are vulnerable.

__________________________________________________________________

Workaround:

  Disable disk caching by removing all cache_dir directives from
  squid.conf.

__________________________________________________________________

Contact details for the Squid project:

  For installation / upgrade support on binary packaged versions
  of Squid: Your first point of contact should be your binary
  package vendor.

  If you install and build Squid from the original Squid sources
  then the <squid-users at lists.squid-cache.org> mailing list is your
  primary support point. For subscription details see
  <http://www.squid-cache.org/Support/mailing-lists.html>.

  For reporting of non-security bugs in the latest STABLE release
  the squid bugzilla database should be used
  <https://bugs.squid-cache.org/>.

  For reporting of security sensitive bugs send an email to the
  <squid-bugs at lists.squid-cache.org> mailing list. It's a closed
  list (though anyone can post) and security related bug reports
  are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

  This vulnerability was independently discovered by Joshua Rogers
  of Opera Software and by The Measurement Factory.

  Fixed by The Measurement Factory.

__________________________________________________________________

Revision history:

2019-09-11: Initial report of header growth caused by HTTP 304.
2021-03-04: Initial report of caching of huge response headers.
2023-04-28 02:40:03 UTC Initial patches released.

_________________________________________________________________
END


More information about the squid-announce mailing list