Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.0840
Squid Proxy Cache Security Update Advisory SQUID-2016:3 and SQUID-2016:4
4 April 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Squid
Publisher: Squid
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Privileged Data -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3948 CVE-2016-3947
Original Bulletin:
http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
Comment: This bulletin contains two (2) security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2016:3
__________________________________________________________________
Advisory ID: SQUID-2016:3
Date: April 02, 2016
Summary: Buffer overrun issue
in pinger ICMPv6 processing.
Affected versions: Squid 3.1.0 -> 3.5.15
Squid 4.0 -> 4.0.7
Fixed in version: Squid 4.0.8, 3.5.16
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2016_3.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3947
__________________________________________________________________
Problem Description:
Due to a buffer overrun Squid pinger binary is vulnerable to
denial of service or information leak attack when processing
ICMPv6 packets.
This bug also permits the server response to manipulate other
ICMP and ICMPv6 queries processing to cause information leak.
__________________________________________________________________
Severity:
This bug allows any remote server to perform a denial of service
attack on the Squid service by crashing the pinger. This may
affect Squid HTTP routing decisions. In some configurations,
sub-optimal routing decisions may result in serious service
degradation or even transaction failures.
If the system does not contain buffer-overrun protection leading
to that crash this bug will instead allow attackers to leak
arbitrary amounts of information from the heap into Squid log
files. This is of higher importance than usual because the pinger
process operates with root priviliges.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 3.5.15 and 4.0.8.
In addition, patches addressing this problem for stable releases
can be found in our patch archives:
Squid 3.1:
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10495.patch
Squid 3.2:
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11839.patch
Squid 3.3:
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12694.patch
Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13232.patch
Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid-2.x versions are not vulnerable to this problem.
All Squid-3.0 versions are not vulnerable to this problem.
All Squid built with --disable-icmp are not vulnerable to this
problem.
All Squid built with --disable-ipv6 are not vulnerable to this
problem.
All Squid-3.x configured with "pinger_enable off" in squid.conf
are not vulnerable to this problem.
Check the server running processes list to determine if the Squid
service is running a "pinger" child process.
All unpatched Squid-3 versions up to and including 3.5.15
running the pinger process are vulnerable to this problem.
All unpatched Squid-4 versions up to and including 4.0.7
running the pinger process are vulnerable to this problem.
__________________________________________________________________
Workaround:
Disable the pinger process in squid.conf:
pinger_enable off
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The vulnerability was reported and fixed by Yuriy M. Kaminskiy.
__________________________________________________________________
Revision history:
2016-02-21 23:42:28 GMT Initial Report
2016-03-28 22:52:58 GMT Patch Released
__________________________________________________________________
***********************
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2016:4
__________________________________________________________________
Advisory ID: SQUID-2016:4
Date: April 02, 2016
Summary: Denial of Service issue
in HTTP Response processing.
Affected versions: Squid 3.x -> 3.5.15
Squid 4.x -> 4.0.7
Fixed in version: Squid 4.0.8, 3.5.16
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2016_4.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3948
__________________________________________________________________
Problem Description:
Due to incorrect bounds checking Squid is vulnerable to a denial
of service attack when processing HTTP responses.
__________________________________________________________________
Severity:
This problem allows a malicious client script and remote server
delivering certain unusual HTTP response syntax to trigger a
denial of service for all clients accessing the Squid service.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 3.5.16 and 4.0.8.
In addition, a patch addressing this problem for the stable
release can be found in our patch archives:
Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All unpatched Squid-3.0 versions are vulnerable.
All unpatched Squid-3.1 versions are vulnerable.
All unpatched Squid-3.2 versions are vulnerable.
All unpatched Squid-3.3 versions are vulnerable.
All unpatched Squid-3.4 versions are vulnerable.
All unpatched Squid-3.5 up to and including Squid-3.5.15 are
vulnerable.
All unpatched Squid-4.0 up to and including 4.0.7 are vulnerable.
__________________________________________________________________
Workaround:
There are no good workarounds known for this vulnerability.
The following squid.conf settings can protect Squid-3.5 (only):
acl Vary rep_header Vary .
store_miss deny Vary
Or,
The following squid.conf setting can protect Squid-3.0 or later:
cache deny all
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
This vulnerability was reported by Santiago R. Rincon of Debian.
Fixed by Amos Jeffries from Treehouse Networks Ltd.
__________________________________________________________________
Revision history:
2016-03-20 11:25:04 UTC Initial Report
2016-04-01 06:15:31 UTC Patch Released
__________________________________________________________________
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVwINTH6ZAP0PgtI9AQKHlg//cHovfUFfHAo+nik9uYj6jUUi3GDwhG0I
LDGxBV+cI4ImpmzXaMrvf4dNZQ2jFrvVekZgHqr8NFV/4ididsYyocjQ0tREkvY0
eVSYkdpY12mUaDPsB7DqE4KjRszQXN3jQFh5IZrUOMv19q7I+CnhpHs3xSwbZx8q
3cYXpImvPXZ+736EjymP9AqSGeFQKRzsgD7ivWS5vNdGDFtgZMGq2rqHeDas1bUv
uUSkM9Pp+WJbvaPMO8OxiNAA4Y/W07+sPOBnWiSiWPCLolruUD1nwzStUMbnJVEG
WR5mexYoi4qdefQuGrE96T+4n3K9oOta2hk7D4bI/U1ocPCHcyDjhXiJY5mCduBC
O4C/AHRKxXVcuOqfzgq9giGT/pgbn58bd6PDoduKPP3DcjvWBMWeXkXN1DWdWUgT
c/9ITGb8SSEbL/dkXDoDjZ9FvQrAlCEJriXAS2SiFJ0Zb9GOgQdAlGxMOz1i1k+h
x8CPu4JXtaU6IlbnefKXk7YfLWHvXjcfHVIfAksN9geVYivC466uEe0GNXk7jPfl
Z9vVH/pV9ttVPdHdZgbLWUTLNOQt019mRjl5Pes+LDNgDyKAfI5o4LWl5hFD8QRU
IDS4holNfV0F/b7pfSBym1rBgpgaLEfx5S5xQoWSvjg6oJ24tyLRIr67/cdBXDxf
SmEM5fPcTRY=
=oQAU
-----END PGP SIGNATURE-----