[squid-users] [squid-announce] [ADVISORY] SQUID-2020:3 Buffer Overflow issue in ext_lm_group_acl helper.
Amos Jeffries
squid3 at treenet.co.nz
Mon Feb 3 11:54:40 UTC 2020
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2020:3
__________________________________________________________________
Advisory ID: SQUID-2020:3
Date: February 02, 2020
Summary: Buffer Overflow issue
in ext_lm_group_acl helper.
Affected versions: Squid 2.x -> 2.7.STABLE9
Squid 3.x -> 3.5.28
Squid 4.x -> 4.9
Fixed in version: Squid 4.10
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2019_3.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8517
__________________________________________________________________
Problem Description:
Due to incorrect buffer management ext_lm_group_acl is vulnerable
to a denial of service attack when processing NTLM Authentication
credentials.
__________________________________________________________________
Severity:
This problem is limited to installations using the
ext_lm_group_acl binary.
Due to incorrect input validation the NTLM authentication
credentials parser in ext_lm_group_acl may write to memory
outside the credentials buffer.
On systems with memory access protections this can result in
the the helper process being terminated unexpectedly. Resulting
in Squid process also terminating and a denial of service for
all clients using the proxy.
__________________________________________________________________
Updated Packages:
This bug is fixed by ext_lm_group_acl from Squid version 4.10.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 3.5:
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-c62d2b43ad4962ea44aa0c5edb4cc99cb83a413d.patch>
Squid 4:
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
The helper was shipped as mswin_check_lm_group with Squid-3.1 and
older. Also as a third-party helper prior to Squid-2.6.
All Squid using the mswin_check_lm_group helper for group
based authorization are vulnerable.
All Squid not using the ext_lm_group_acl helper for group
based authorization are not vulnerable.
All Squid-3.x up to and including 3.5.28 being used for NTLM
Authentication with ext_lm_group_acl helper are vulnerable.
All Squid-4.x up to and including 4.9 being used for NTLM
Authentication with ext_lm_group_acl helper are vulnerable.
To determine whether Squid-3.2 and later are configured to use
the affected helper use the commands:
squid -k parse | grep ext_lm_group_acl
squid -k parse | grep mswin_check_lm_group
To determine whether Squid-3.1 and older are configured to use
the affected helper use the commands:
grep ext_lm_group_acl /etc/squid/squid.conf
grep mswin_check_lm_group /etc/squid/squid.conf
__________________________________________________________________
Workarounds:
Either;
Remove 'auth_param NTLM ...' configuration settings from
squid.conf.
Or,
Use ext_lm_group_acl binary built from Squid-4.10 or later
versions.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users at lists.squid-cache.org mailing list is your
primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
squid-bugs at lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
This vulnerability was discovered and fixed by Aaron Costello
<aaron.costello at ymail.com>.
__________________________________________________________________
Revision history:
2019-11-11 10:25:02 UTC Initial Report
2019-11-22 02:44:29 UTC Patches Released
__________________________________________________________________
END
_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
More information about the squid-users
mailing list