[squid-announce] [ADVISORY] SQUID-2024:3 Denial of Service in ESI processing

Francesco Chemolli kinkie at squid-cache.org
Fri Jun 28 07:06:10 UTC 2024 

________________________________

Squid Proxy Cache Security Update Advisory SQUID-2024:3

________________________________
Advisory ID: SQUID-2024:3
Date: Jun 10, 2024
Summary: Denial of Service in ESI processing
Affected versions: Squid 3.0 -> 3.5.28
                  Squid 4.0 -> 4.16
                  Squid 5.0 -> 5.9
                  Squid 6.0 -> 6.9
Fixed in version:Squid 6.10
________________________________

Problem Description:

Due to an Out-of-bounds Write error when assigning ESI variables,
Squid is susceptible to a Memory Corruption error, which can
result in a Denial of Service.

________________________________

Severity:

This problem allows a trusted server to perform a Denial of Service attack on
Squid while processing ESI response content.
This affects all domains being serviced by the proxy and all clients using
it during the affected period.

The trigger for this issue are values which clients might normally expect to use
in valid ESI response content. As such admin should expect this issue to be
already occurring without any malicious 0-day attack existing.

This issue is limited to Squid acting as reverse proxy where ESI
feature has been
enabled at build time

CVSS Score of 6.3
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H&version=3.1>

________________________________

Updated Packages:

This bug is fixed by Squid version 6.10.

In addition, patches addressing this problem for the stable
releases can be found in our patch archives:

Squid 3.x, 4, or 5:
<https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch>

If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.

________________________________

Determining if your version is vulnerable:

All Squid built with --disable-esi are not vulnerable.

All Squid-3.0 versions built without --enable-esi are not
vulnerable.

All Squid-3.x versions built with --enable-esi are vulnerable.

All Squid-4.x built with --enable-esi are vulnerable.

All Squid-5.x built with --enable-esi are vulnerable.

All Squid-6.x up to and including 6.9 built with --enable-esi
are vulnerable

________________________________

Workaround:

* Build Squid with --disable-esi

________________________________

Contact details for the Squid project:

For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.

If you install and build Squid from the original Squid sources
then the squid-users at lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.

For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.

For reporting of security sensitive bugs send an email to the
squid-bugs at lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.

________________________________

Credits:

This vulnerability was discovered by Joshua Rogers of Opera Software.

Fixed by Francesco Chemolli

________________________________

Revision history:

2021-03-01 23:06:11 UTC Initial Report
2024-06-02 14:00:00 UTC Patches released
2024-06-10 14:00:00 UTC Fixed packages released

________________________________

END

More information about the squid-announce mailing list