-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1420
                Squid Proxy Cache: Multiple vulnerabilities
                               24 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Squid Proxy Cache
Publisher:         Squid
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11945 CVE-2019-12521 CVE-2019-12519

Original Bulletin: 
   http://lists.squid-cache.org/pipermail/squid-announce/2020-April/000115.html
   http://lists.squid-cache.org/pipermail/squid-announce/2020-April/000114.html

- --------------------------BEGIN INCLUDED TEXT--------------------


__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2019:12
__________________________________________________________________

Advisory ID:        SQUID-2019:12
Date:               April 23, 2020
Summary:            Multiple issues
                    in ESI Response processing.
Affected versions:  Squid 3.x -> 3.5.28
                    Squid 4.x -> 4.10
                    Squid 5.x -> 5.0.1
Fixed in version:   Squid 4.11 and 5.0.2
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2019_12.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12519
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12521
__________________________________________________________________

Problem Description:

 Due to incorrect buffer handling Squid is vulnerable to cache
 poisoning, remote execution, and denial of service attacks when
 processing ESI responses.

__________________________________________________________________

Severity:

 These problems allow a remote server delivering certain ESI
 response syntax to trigger a buffer overflow.

 On systems with heap overflow protection overflow will shutdown
 the proxy causing a denial of service for all clients accessing
 the Squid service.

 On systems with ESI buffer pooling (the default) overflow will
 truncate portions of generated payloads. Poisoning the HTTP
 response cache with corrupted objects.

 The CVE-2019-12519 issue also overwrites arbitrary attacker
 controlled information onto the process stack. Allowing remote
 code execution with certain crafted ESI payloads.

 These problems are restricted to ESI responses received from an
 upstream server. Attackers have to compromise the server or
 transmission channel to utilize these vulnerabilities.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid versions 4.11 and 5.0.2.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 <http://www.squid-cache.org/Versions/v4/changesets/squid-4-fdd4123629320aa1ee4c3481bb392437c90d188d.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid-2.x are not vulnerable.

 All Squid built with --disable-esi are not vulnerable.

 All Squid-3.0 versions built without --enable-esi are not
 vulnerable.

 All Squid-3.x versions built with --enable-esi are vulnerable.

 All Squid-4.x up to and including Squid-4.10 are vulnerable.

 Squid-5.0.1 is not vulnerable to the CVE-2019-12519 remote code
 execution issue.

 Squid-5.0.1 is vulnerable to the CVE-2019-12521 issues.

__________________________________________________________________

Workaround:

 Build Squid with --disable-esi

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 This vulnerability was discovered by Jeriko One
 <jeriko.one@gmx.us>.

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

 2019-05-14 14:56:49 UTC Initial Report
 2019-05-20 11:23:13 UTC Patches Released
 2019-06-05 15:52:17 UTC CVE Assignment
 2020-04-23 08:00:00 UTC Advisory Released
__________________________________________________________________
END

- ---------------------------------------------------------------------------------

__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2020:4
__________________________________________________________________

Advisory ID:        SQUID-2020:4
Date:               April 23, 2020
Summary:            Multiple issues
                    in HTTP Digest authentication.
Affected versions:  Squid 2.x -> 2.7.STABLE9
                    Squid 3.x -> 3.5.28
                    Squid 4.x -> 4.10
                    Squid 5.x -> 5.0.1
Fixed in version:   Squid 4.11 and 5.0.2
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2020_4.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11945
__________________________________________________________________

Problem Description:

 Due to an integer overflow bug Squid is vulnerable to credential
 replay and remote code execution attacks against HTTP Digest
 Authentication tokens.

__________________________________________________________________

Severity:

 When memory pooling is used this problem allows a remote client
 to replay a sniffed Digest Authentication nonce to gain access
 to resources that are otherwise forbidden.

 When memory pooling is disabled this problem allows a remote
 client to perform remote code execution through the free'd nonce
 credentials.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid versions 4.11 and 5.0.2.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 <http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid-2.x up to and including 2.4.STABLE7 are not vulnerable.

 All Squid-2.5 up to and including 2.7.STABLE9 are vulnerable.

 All Squid-2.x up to and including 2.7.STABLE9 configured with
 "auth_param digest" are vulnerable.

 All Squid-2.x up to and including 2.7.STABLE9 configured without
 "auth_param digest" are not vulnerable.

 All Squid-3.x up to and including 3.5.28 built with
 --disable-auth are not vulnerable.

 All Squid-3.2 up to and including 3.5.28 built with
 --disable-auth-digest are not vulnerable.

 All Squid-3.x up to and including 3.5.28 configured with
 "auth_param digest" are vulnerable.

 All Squid-3.x up to and including 3.5.28 configured without
 "auth_param digest" are not vulnerable.

 All Squid-4.x up to and including 4.10 built with
 --disable-auth are not vulnerable.

 All Squid-4.x up to and including 4.10 built with
 --disable-auth-digest are not vulnerable.

 All Squid-4.x up to and including 4.10 configured with
 "auth_param digest" are vulnerable.

 All Squid-4.x up to and including 4.10 configured without
 "auth_param digest" are not vulnerable.

 Squid-5.0.1 built with --disable-auth-digest is not vulnerable.

 Squid-5.0.1 configured with "auth_param digest" are vulnerable.

 Squid-5.0.1 configured without "auth_param digest" are not
 vulnerable.

__________________________________________________________________

Workaround:

Either,

 Remove all "auth_param digest" lines from squid.conf

Or,

 Build Squid with --disable-auth-digest

Or,

 Build Squid with --disable-auth

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 This vulnerability was discovered by Clément Berthaux and
 Florian Guilbert of Synacktiv.

 Fixed by Maxime Desbrus of Synacktiv.

__________________________________________________________________

Revision history:

 2019-11-20 13:39:07 UTC Initial Report
 2020-04-02 11:16:45 UTC Patches Released
 2020-04-20 20:08:14 UTC CVE Assignment
 2020-04-23 08:00:00 UTC Advisory Released
__________________________________________________________________
END

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXqI+5GaOgq3Tt24GAQgZbA//fzmEtGyjnSgiG3t9mIG6WBxCypmO5TfF
m1r6RR0XiafAcrolJbCQiKuv880CRUoUxlyt8LaGNyZhQBSBdwz4tCWH7xPlJ2DA
EnObNz/CacfJRU912+K1KyogTlWBkrvgNwgEQAaFqKBvd7r9vE7n5OaQVXxZ/BJO
gq0hPLsYll9HehQX+6rh6vkMSzqF98FRYEBQ73OrwnIlNQDsYbWMWWWNNxs56U7m
0ISe9jgU3J0VbyTfkwWjWRik9yRrwc4jRUO8zMnZm1glKARy0aUSbSo4wHJSEHrI
GzCGuHXnuuJPrMfg/OhZB1rX5LfXUSEXHz1ovhaGYvaBaRiltYwwSCBfJmPrKpar
UxdBiKu9qMEulQylmWJc7yhbxXRmfJWQByPldl4U3u7vUwMTlpKzA1M1n6WcmxQi
VCWNt3rA9RnrsUU3VAa8xeE4VTBUPxUOxJyXsVzpOysH4ZBLXPb7OS1KCcqCSajY
iZfDIrVT4Avxi9n4gkqxTX2MDE7i4UgFAihtNB7b4lHfVb/9d8GcqNKfx1rHoyt+
3F7S3f9loBqD4GR5vG01YnHyh80pmm75m+/fJO63XxmFQXUTIeboE614yOmR6Owp
E/IqIS8yOq+Bb5NbEpS0SN1KtPzOhELEGF40Lu6L4wCrKWgH/fmrMaEpHhmcb76n
wnI+WyC9D7c=
=H2Mt
-----END PGP SIGNATURE-----