Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1125 Multiple vulnerabilities have been identified in Squid 10 May 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Squid Publisher: Squid Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-4556 CVE-2016-4555 CVE-2016-4554 CVE-2016-4553 CVE-2009-0801 Reference: ESB-2009.0164 Original Bulletin: http://www.squid-cache.org/Advisories/SQUID-2016_7.txt http://www.squid-cache.org/Advisories/SQUID-2016_8.txt http://www.squid-cache.org/Advisories/SQUID-2016_9.txt Comment: This bulletin contains three (3) Squid security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- __________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2016:7 __________________________________________________________________ Advisory ID: SQUID-2016:7 Date: May 06, 2016 Summary: Cache poisoning issue in HTTP Request handling Affected versions: Squid 3.2.0.11 -> 3.5.17 Squid 4.x -> 4.0.9 Fixed in version: Squid 3.5.18, 4.0.10 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2016_7.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4553 __________________________________________________________________ Problem Description: Due to incorrect data validation of intercepted HTTP Request messages Squid is vulnerable to clients bypassing the protection against CVE-2009-0801 related issues. This leads to cache poisoning. __________________________________________________________________ Severity: This problem is serious because it allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 3.5.18 and 4.0.10. In addition, a patch addressing this problem for the stable release can be found in our patch archives: Squid 3.5: <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: Use the command 'squid -v' to view version and build details of your proxy; All Squid 2.x are not vulnerable. All Squid-3.x up to and including 3.2.0.10 are not vulnerable. All Squid-3.2.0.11 and later versions up to and including 3.5.17 are vulnerable. All Squid-4.x up to and including 4.0.9 are vulnerable. __________________________________________________________________ Workaround: Add to squid.conf: client_dst_passthru off And, Remove any use of "host_verify_strict" directive. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see http://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest release the squid bugzilla database should be used http://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It is a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The vulnerability was reported by Jianjun Chen from Tsinghua University. Fixed by Amos Jeffries from Treehouse Networks Ltd. __________________________________________________________________ Revision history: 2016-04-15 10:54:39 UTC Initial Report 2016-05-02 10:51:18 UTC Patch Released 2016-05-06 13:12:00 UTC Packages Released 2016-05-06 14:46:41 UTC CVE Assignment __________________________________________________________________ __________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2016:8 __________________________________________________________________ Advisory ID: SQUID-2016:8 Date: May 06, 2016 Summary: Header smuggling issue in HTTP Request processing Affected versions: Squid 1.x -> 3.5.17 Fixed in version: Squid 3.5.18 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2016_8.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4554 __________________________________________________________________ Problem Description: Due to incorrect input validation Squid is vulnerable to a header smuggling attack leading to cache poisoning and to bypass of same-origin security policy in Squid and some client browsers. __________________________________________________________________ Severity: This problem allows a client to smuggle Host header value past same-origin security protections to cause Squid operating as interception or reverse-proxy to contact the wrong origin server. Also poisoning any downstream cache which stores the response. However, the cache poisoning is only possible if the caching agent (browser or explicit/forward proxy) is not following RFC 7230 processing guidelines and lets the smuggled value through. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 3.5.18 In addition, patches addressing this problem for stable releases can be found in our patch archives: Squid 3.1: <http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2016_8.patch> Squid 3.2: <http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_8.patch> Squid 3.3: <http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_8.patch> Squid 3.4: <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_8.patch> Squid 3.5: <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_8.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All 2.x versions up to and including 2.7.STABLE9 are vulnerable. All 3.x versions up to and including 3.5.17 are vulnerable. All 4.x versions are not vulnerable. __________________________________________________________________ Workaround: There are no workarounds for this problem. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see http://www.squid-cache.org/Support/mailing-lists.html. For reporting of non-security bugs in the latest release the squid bugzilla database should be used http://bugs.squid-cache.org/. For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It is a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The vulnerability was reported by Jianjun Chen from Tsinghua University. Fixed by Amos Jeffries from Treehouse Networks Ltd. __________________________________________________________________ Revision history: 2016-04-26 09:29:13 UTC Initial Report 2016-05-02 03:39:35 UTC Patches Released 2016-05-06 13:12:00 UTC Packages Released 2016-05-06 14:46:41 UTC CVE Assignment 2016-05-08 12:45:58 UTC Patches Updated __________________________________________________________________ __________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2016:9 __________________________________________________________________ Advisory ID: SQUID-2016:9 Date: May 06, 2016 Summary: Multiple Denial of Service issues in ESI Response processing. Affected versions: Squid 3.x -> 3.5.17 Squid 4.x -> 4.0.9 Fixed in version: Squid 4.0.10, 3.5.18 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2016_9.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4555 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4556 __________________________________________________________________ Problem Description: Due to incorrect pointer handling and reference counting Squid is vulnerable to a denial of service attack when processing ESI responses. __________________________________________________________________ Severity: These problems allow a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service. Due to unrelated changes Squid-3.5 has become vulnerable to some regular ESI server responses also triggering one or more of these issues. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 3.5.18 and 4.0.10. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 3.4: <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch> Squid 3.5: <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.x are not vulnerable. All Squid built with --disable-esi are not vulnerable. All Squid-3.0 versions built without --enable-esi are not vulnerable. All Squid-3.0 versions built with --enable-esi and used for reverse-proxy are vulnerable. All Squid-3.1 and later versions up to and including Squid-3.5.17 being used for reverse-proxy are vulnerable. All Squid-3.1 and later versions up to and including Squid-3.5.17 being used for TLS / HTTPS interception are vulnerable. All unpatched Squid-4.0 up to and including Squid-4.0.9 being used as reverse-proxy are vulnerable. All unpatched Squid-4.0 up to and including Squid-4.0.9 being used as TLS/HTTPS intercept proxy are vulnerable. __________________________________________________________________ Workaround: Build Squid with --disable-esi __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@lists.squid-cache.org mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://bugs.squid-cache.org/>. For reporting of security sensitive bugs send an email to the squid-bugs@lists.squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The initial issue was reported by "bfek-18". Additional issues and attack vector was reported by "@vftable". Fixed by Amos Jeffries from Treehouse Networks Ltd. __________________________________________________________________ Revision history: 2016-03-02 15:12:12 UTC Initial Report 2016-05-01 23:48:27 UTC Additional Issue Report 2016-05-06 09:39:48 UTC Patches Released 2016-05-06 13:12:00 UTC Packages Released 2016-05-06 14:46:41 UTC CVE Assignment __________________________________________________________________ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVzFCdH6ZAP0PgtI9AQJJ8xAAvTQreaa9PENLT152oGU5E4U5NBykW1Hp 0W13c1emmVGo9Bq+DSBo79ktoN/WEO+fMphsvNCMPqkL1e9bu6QIs6UwbpvoY7kb mDsfelaiHK53Yt/0S28rCM5snLdjt2YLNptauJ+jKNghd4tcVo2kykyPRRRfHiE6 HRZeYHcZDgE8nQfd5+C3VMgG2il/HG1DHQ6U8z5BVO4tNnhHVbTk0m8CzF69rEJM my/b9SZGunM4mw3R64ozZp8tR+qR6XMy0mfqbFVs1iqtjrFSmQyr9lrOLZSF1pqr ydKob4aFKqCU2JCfrXCyt9XSBJX84U/lksLtTok24BtJKvl9z5k17xDXiV8XU6J1 IFZxIGI99ESRAg4uBpZ9Kt5m1vxn+K9jDBHsHqj/hZz0vJAAz/esao0IVUsH9Cp2 kL/J9h13Q4J7fY7SDA33REX47nxtYbA55IX5UZMpUxTGNt+zBJKbqpRA9Qp8bSXR HJ6Xl+GeOEpnbT2Tr7GusOZe9JSLhSy6CEJginzfaaLd117M25nSEBi3czUPMIcm JrB8PtNQFsVns00089yssAsPlYCAvb6Mf1aw6JxvWLZANvXk3QtWkqxZ45SAMhwm O2CMEMbxkcuxkO8HRZH8Y9sdMShpemTnRHUv9C31bmij2UqsYwf+t+0J3uv66FY9 h1tytO3PdwQ= =q//u -----END PGP SIGNATURE-----