Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1125
Multiple vulnerabilities have been identified in Squid
10 May 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Squid
Publisher: Squid
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-4556 CVE-2016-4555 CVE-2016-4554
CVE-2016-4553 CVE-2009-0801
Reference: ESB-2009.0164
Original Bulletin:
http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
Comment: This bulletin contains three (3) Squid security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2016:7
__________________________________________________________________
Advisory ID: SQUID-2016:7
Date: May 06, 2016
Summary: Cache poisoning issue
in HTTP Request handling
Affected versions: Squid 3.2.0.11 -> 3.5.17
Squid 4.x -> 4.0.9
Fixed in version: Squid 3.5.18, 4.0.10
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4553
__________________________________________________________________
Problem Description:
Due to incorrect data validation of intercepted HTTP Request
messages Squid is vulnerable to clients bypassing the protection
against CVE-2009-0801 related issues. This leads to cache
poisoning.
__________________________________________________________________
Severity:
This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the proxy
cache and any downstream caches with content from an arbitrary
source.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 3.5.18 and 4.0.10.
In addition, a patch addressing this problem for the stable
release can be found in our patch archives:
Squid 3.5:
<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
Use the command 'squid -v' to view version and build details of
your proxy;
All Squid 2.x are not vulnerable.
All Squid-3.x up to and including 3.2.0.10 are not vulnerable.
All Squid-3.2.0.11 and later versions up to and including 3.5.17
are vulnerable.
All Squid-4.x up to and including 4.0.9 are vulnerable.
__________________________________________________________________
Workaround:
Add to squid.conf:
client_dst_passthru off
And,
Remove any use of "host_verify_strict" directive.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@squid-cache.org mailing list. It is a closed list
(though anyone can post) and security related bug reports are
treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The vulnerability was reported by Jianjun Chen from Tsinghua
University.
Fixed by Amos Jeffries from Treehouse Networks Ltd.
__________________________________________________________________
Revision history:
2016-04-15 10:54:39 UTC Initial Report
2016-05-02 10:51:18 UTC Patch Released
2016-05-06 13:12:00 UTC Packages Released
2016-05-06 14:46:41 UTC CVE Assignment
__________________________________________________________________
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2016:8
__________________________________________________________________
Advisory ID: SQUID-2016:8
Date: May 06, 2016
Summary: Header smuggling issue
in HTTP Request processing
Affected versions: Squid 1.x -> 3.5.17
Fixed in version: Squid 3.5.18
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4554
__________________________________________________________________
Problem Description:
Due to incorrect input validation Squid is vulnerable to a header
smuggling attack leading to cache poisoning and to bypass of
same-origin security policy in Squid and some client browsers.
__________________________________________________________________
Severity:
This problem allows a client to smuggle Host header value past
same-origin security protections to cause Squid operating as
interception or reverse-proxy to contact the wrong origin
server. Also poisoning any downstream cache which stores the
response.
However, the cache poisoning is only possible if the caching
agent (browser or explicit/forward proxy) is not following RFC
7230 processing guidelines and lets the smuggled value through.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 3.5.18
In addition, patches addressing this problem for stable releases
can be found in our patch archives:
Squid 3.1:
<http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2016_8.patch>
Squid 3.2:
<http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_8.patch>
Squid 3.3:
<http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_8.patch>
Squid 3.4:
<http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_8.patch>
Squid 3.5:
<http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_8.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All 2.x versions up to and including 2.7.STABLE9 are vulnerable.
All 3.x versions up to and including 3.5.17 are vulnerable.
All 4.x versions are not vulnerable.
__________________________________________________________________
Workaround:
There are no workarounds for this problem.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@squid-cache.org mailing list. It is a closed list
(though anyone can post) and security related bug reports are
treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The vulnerability was reported by Jianjun Chen from Tsinghua
University.
Fixed by Amos Jeffries from Treehouse Networks Ltd.
__________________________________________________________________
Revision history:
2016-04-26 09:29:13 UTC Initial Report
2016-05-02 03:39:35 UTC Patches Released
2016-05-06 13:12:00 UTC Packages Released
2016-05-06 14:46:41 UTC CVE Assignment
2016-05-08 12:45:58 UTC Patches Updated
__________________________________________________________________
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2016:9
__________________________________________________________________
Advisory ID: SQUID-2016:9
Date: May 06, 2016
Summary: Multiple Denial of Service issues
in ESI Response processing.
Affected versions: Squid 3.x -> 3.5.17
Squid 4.x -> 4.0.9
Fixed in version: Squid 4.0.10, 3.5.18
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4556
__________________________________________________________________
Problem Description:
Due to incorrect pointer handling and reference counting Squid is
vulnerable to a denial of service attack when processing ESI
responses.
__________________________________________________________________
Severity:
These problems allow a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
Due to unrelated changes Squid-3.5 has become vulnerable to some
regular ESI server responses also triggering one or more of these
issues.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 3.5.18 and 4.0.10.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 3.4:
<http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch>
Squid 3.5:
<http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid-2.x are not vulnerable.
All Squid built with --disable-esi are not vulnerable.
All Squid-3.0 versions built without --enable-esi are not
vulnerable.
All Squid-3.0 versions built with --enable-esi and used for
reverse-proxy are vulnerable.
All Squid-3.1 and later versions up to and including
Squid-3.5.17 being used for reverse-proxy are vulnerable.
All Squid-3.1 and later versions up to and including
Squid-3.5.17 being used for TLS / HTTPS interception are
vulnerable.
All unpatched Squid-4.0 up to and including Squid-4.0.9
being used as reverse-proxy are vulnerable.
All unpatched Squid-4.0 up to and including Squid-4.0.9
being used as TLS/HTTPS intercept proxy are vulnerable.
__________________________________________________________________
Workaround:
Build Squid with --disable-esi
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The initial issue was reported by "bfek-18".
Additional issues and attack vector was reported by "@vftable".
Fixed by Amos Jeffries from Treehouse Networks Ltd.
__________________________________________________________________
Revision history:
2016-03-02 15:12:12 UTC Initial Report
2016-05-01 23:48:27 UTC Additional Issue Report
2016-05-06 09:39:48 UTC Patches Released
2016-05-06 13:12:00 UTC Packages Released
2016-05-06 14:46:41 UTC CVE Assignment
__________________________________________________________________
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVzFCdH6ZAP0PgtI9AQJJ8xAAvTQreaa9PENLT152oGU5E4U5NBykW1Hp
0W13c1emmVGo9Bq+DSBo79ktoN/WEO+fMphsvNCMPqkL1e9bu6QIs6UwbpvoY7kb
mDsfelaiHK53Yt/0S28rCM5snLdjt2YLNptauJ+jKNghd4tcVo2kykyPRRRfHiE6
HRZeYHcZDgE8nQfd5+C3VMgG2il/HG1DHQ6U8z5BVO4tNnhHVbTk0m8CzF69rEJM
my/b9SZGunM4mw3R64ozZp8tR+qR6XMy0mfqbFVs1iqtjrFSmQyr9lrOLZSF1pqr
ydKob4aFKqCU2JCfrXCyt9XSBJX84U/lksLtTok24BtJKvl9z5k17xDXiV8XU6J1
IFZxIGI99ESRAg4uBpZ9Kt5m1vxn+K9jDBHsHqj/hZz0vJAAz/esao0IVUsH9Cp2
kL/J9h13Q4J7fY7SDA33REX47nxtYbA55IX5UZMpUxTGNt+zBJKbqpRA9Qp8bSXR
HJ6Xl+GeOEpnbT2Tr7GusOZe9JSLhSy6CEJginzfaaLd117M25nSEBi3czUPMIcm
JrB8PtNQFsVns00089yssAsPlYCAvb6Mf1aw6JxvWLZANvXk3QtWkqxZ45SAMhwm
O2CMEMbxkcuxkO8HRZH8Y9sdMShpemTnRHUv9C31bmij2UqsYwf+t+0J3uv66FY9
h1tytO3PdwQ=
=q//u
-----END PGP SIGNATURE-----