Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1420
Squid Proxy Cache: Multiple vulnerabilities
24 April 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Squid Proxy Cache
Publisher: Squid
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-11945 CVE-2019-12521 CVE-2019-12519
Original Bulletin:
http://lists.squid-cache.org/pipermail/squid-announce/2020-April/000115.html
http://lists.squid-cache.org/pipermail/squid-announce/2020-April/000114.html
- --------------------------BEGIN INCLUDED TEXT--------------------
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2019:12
__________________________________________________________________
Advisory ID: SQUID-2019:12
Date: April 23, 2020
Summary: Multiple issues
in ESI Response processing.
Affected versions: Squid 3.x -> 3.5.28
Squid 4.x -> 4.10
Squid 5.x -> 5.0.1
Fixed in version: Squid 4.11 and 5.0.2
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2019_12.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12521
__________________________________________________________________
Problem Description:
Due to incorrect buffer handling Squid is vulnerable to cache
poisoning, remote execution, and denial of service attacks when
processing ESI responses.
__________________________________________________________________
Severity:
These problems allow a remote server delivering certain ESI
response syntax to trigger a buffer overflow.
On systems with heap overflow protection overflow will shutdown
the proxy causing a denial of service for all clients accessing
the Squid service.
On systems with ESI buffer pooling (the default) overflow will
truncate portions of generated payloads. Poisoning the HTTP
response cache with corrupted objects.
The CVE-2019-12519 issue also overwrites arbitrary attacker
controlled information onto the process stack. Allowing remote
code execution with certain crafted ESI payloads.
These problems are restricted to ESI responses received from an
upstream server. Attackers have to compromise the server or
transmission channel to utilize these vulnerabilities.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid versions 4.11 and 5.0.2.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-fdd4123629320aa1ee4c3481bb392437c90d188d.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid-2.x are not vulnerable.
All Squid built with --disable-esi are not vulnerable.
All Squid-3.0 versions built without --enable-esi are not
vulnerable.
All Squid-3.x versions built with --enable-esi are vulnerable.
All Squid-4.x up to and including Squid-4.10 are vulnerable.
Squid-5.0.1 is not vulnerable to the CVE-2019-12519 remote code
execution issue.
Squid-5.0.1 is vulnerable to the CVE-2019-12521 issues.
__________________________________________________________________
Workaround:
Build Squid with --disable-esi
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
This vulnerability was discovered by Jeriko One
<jeriko.one@gmx.us>.
Fixed by Amos Jeffries of Treehouse Networks Ltd.
__________________________________________________________________
Revision history:
2019-05-14 14:56:49 UTC Initial Report
2019-05-20 11:23:13 UTC Patches Released
2019-06-05 15:52:17 UTC CVE Assignment
2020-04-23 08:00:00 UTC Advisory Released
__________________________________________________________________
END
- ---------------------------------------------------------------------------------
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2020:4
__________________________________________________________________
Advisory ID: SQUID-2020:4
Date: April 23, 2020
Summary: Multiple issues
in HTTP Digest authentication.
Affected versions: Squid 2.x -> 2.7.STABLE9
Squid 3.x -> 3.5.28
Squid 4.x -> 4.10
Squid 5.x -> 5.0.1
Fixed in version: Squid 4.11 and 5.0.2
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2020_4.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11945
__________________________________________________________________
Problem Description:
Due to an integer overflow bug Squid is vulnerable to credential
replay and remote code execution attacks against HTTP Digest
Authentication tokens.
__________________________________________________________________
Severity:
When memory pooling is used this problem allows a remote client
to replay a sniffed Digest Authentication nonce to gain access
to resources that are otherwise forbidden.
When memory pooling is disabled this problem allows a remote
client to perform remote code execution through the free'd nonce
credentials.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid versions 4.11 and 5.0.2.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:
<http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid-2.x up to and including 2.4.STABLE7 are not vulnerable.
All Squid-2.5 up to and including 2.7.STABLE9 are vulnerable.
All Squid-2.x up to and including 2.7.STABLE9 configured with
"auth_param digest" are vulnerable.
All Squid-2.x up to and including 2.7.STABLE9 configured without
"auth_param digest" are not vulnerable.
All Squid-3.x up to and including 3.5.28 built with
--disable-auth are not vulnerable.
All Squid-3.2 up to and including 3.5.28 built with
--disable-auth-digest are not vulnerable.
All Squid-3.x up to and including 3.5.28 configured with
"auth_param digest" are vulnerable.
All Squid-3.x up to and including 3.5.28 configured without
"auth_param digest" are not vulnerable.
All Squid-4.x up to and including 4.10 built with
--disable-auth are not vulnerable.
All Squid-4.x up to and including 4.10 built with
--disable-auth-digest are not vulnerable.
All Squid-4.x up to and including 4.10 configured with
"auth_param digest" are vulnerable.
All Squid-4.x up to and including 4.10 configured without
"auth_param digest" are not vulnerable.
Squid-5.0.1 built with --disable-auth-digest is not vulnerable.
Squid-5.0.1 configured with "auth_param digest" are vulnerable.
Squid-5.0.1 configured without "auth_param digest" are not
vulnerable.
__________________________________________________________________
Workaround:
Either,
Remove all "auth_param digest" lines from squid.conf
Or,
Build Squid with --disable-auth-digest
Or,
Build Squid with --disable-auth
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
This vulnerability was discovered by Clément Berthaux and
Florian Guilbert of Synacktiv.
Fixed by Maxime Desbrus of Synacktiv.
__________________________________________________________________
Revision history:
2019-11-20 13:39:07 UTC Initial Report
2020-04-02 11:16:45 UTC Patches Released
2020-04-20 20:08:14 UTC CVE Assignment
2020-04-23 08:00:00 UTC Advisory Released
__________________________________________________________________
END
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXqI+5GaOgq3Tt24GAQgZbA//fzmEtGyjnSgiG3t9mIG6WBxCypmO5TfF
m1r6RR0XiafAcrolJbCQiKuv880CRUoUxlyt8LaGNyZhQBSBdwz4tCWH7xPlJ2DA
EnObNz/CacfJRU912+K1KyogTlWBkrvgNwgEQAaFqKBvd7r9vE7n5OaQVXxZ/BJO
gq0hPLsYll9HehQX+6rh6vkMSzqF98FRYEBQ73OrwnIlNQDsYbWMWWWNNxs56U7m
0ISe9jgU3J0VbyTfkwWjWRik9yRrwc4jRUO8zMnZm1glKARy0aUSbSo4wHJSEHrI
GzCGuHXnuuJPrMfg/OhZB1rX5LfXUSEXHz1ovhaGYvaBaRiltYwwSCBfJmPrKpar
UxdBiKu9qMEulQylmWJc7yhbxXRmfJWQByPldl4U3u7vUwMTlpKzA1M1n6WcmxQi
VCWNt3rA9RnrsUU3VAa8xeE4VTBUPxUOxJyXsVzpOysH4ZBLXPb7OS1KCcqCSajY
iZfDIrVT4Avxi9n4gkqxTX2MDE7i4UgFAihtNB7b4lHfVb/9d8GcqNKfx1rHoyt+
3F7S3f9loBqD4GR5vG01YnHyh80pmm75m+/fJO63XxmFQXUTIeboE614yOmR6Owp
E/IqIS8yOq+Bb5NbEpS0SN1KtPzOhELEGF40Lu6L4wCrKWgH/fmrMaEpHhmcb76n
wnI+WyC9D7c=
=H2Mt
-----END PGP SIGNATURE-----