[squid-users] [squid-announce] [ADVISORY] SQUID-2022:2 Buffer Over Read in SSPI and SMB Authentication
Amos Jeffries
squid3 at treenet.co.nz
Wed Jan 18 01:30:04 UTC 2023
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2022:2
__________________________________________________________________
Advisory ID: | SQUID-2022:2
Date: | September 23, 2022
Summary: | Buffer Over Read
| in SSPI and SMB Authentication
Affected versions: | Squid 2.5.STABLE1 -> 2.7.STABLE9
| Squid 3.x -> 3.5.28
| Squid 4.x -> 4.17
| Squid 5.x -> 5.6
Fixed in version: | Squid 5.7
__________________________________________________________________
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41318>
__________________________________________________________________
Problem Description:
Due to an incorrect integer overflow protection Squid SSPI and
SMB authentication helpers are vulnerable to a Buffer Overflow
attack.
__________________________________________________________________
Severity:
This problem allows a remote client to perform a Denial of
Service attack when Squid is configured to use NTLM or Negotiate
authentication with one of the vulnerable helpers.
This problem allows a remote client to extract sensitive
information from machine memory when Squid is configured to use
NTLM or Negotiate authentication with one of the vulnerable
helpers. The scope of this information includes user credentials
in decrypted forms, and also arbitrary memory areas beyond Squid
and the helper itself.
This attack is limited to authentication helpers built using the
libntlmauth library shipped by Squid.
CVSS Score of 8.2
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:C/MC:X/MI:L/MA:H&version=3.1>
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 5.7.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:
<http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_2.patch>
Squid 5:
<http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_2.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
Run this command to view the configured authentication helpers:
(squid -k parse 2>&1) | grep "Processing: auth_param"
Your Squid may be vulnerable if the result contains any of the following:
ntlm_smb_lm_auth
ntlm_sspi_auth
ntlm_fake_auth
negotiate_sspi_auth
All Squid-2.5 up to and including 4.17 have vulnerable helpers.
All Squid-5.x up to and including 5.6 have vulnerable helpers.
__________________________________________________________________
Workaround:
Either,
Disable use of the vulnerable authentication scheme.
Or,
Replace the vulnerable helper with an alternative helper for the
same authentication scheme.
Or,
Replace the vulnerable helper binary with one built from an
updated or patched Squid release. The remainder of Squid does not
need updating to fix this.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the <squid-users at lists.squid-cache.org> mailing list is your
primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
<squid-bugs at lists.squid-cache.org> mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
This vulnerability was discovered by LWIC.
Fixed by Amos Jeffries of Treehouse Networks Ltd,
based on patch by LWIC.
__________________________________________________________________
Revision history:
2019-03-17 14:24:42 UTC Initial Report
2022-08-08 12:16:43 UTC Fix Released
2022-09-23 05:00:00 UTC Advisory Released
__________________________________________________________________
END
_______________________________________________
squid-announce mailing list
squid-announce at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-announce
More information about the squid-users
mailing list