FreshPorts - VuXML

Squid security advisory 2016:3 reports:

Due to a buffer overrun Squid pinger binary is vulnerable to denial of service or information leak attack when processing ICMPv6 packets.

This bug also permits the server response to manipulate other ICMP and ICMPv6 queries processing to cause information leak.

This bug allows any remote server to perform a denial of service attack on the Squid service by crashing the pinger. This may affect Squid HTTP routing decisions. In some configurations, sub-optimal routing decisions may result in serious service degradation or even transaction failures.

If the system does not contain buffer-overrun protection leading to that crash this bug will instead allow attackers to leak arbitrary amounts of information from the heap into Squid log files. This is of higher importance than usual because the pinger process operates with root priviliges.

Squid security advisory 2016:4 reports:

Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.

This problem allows a malicious client script and remote server delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.

< 3.5.16

The Squid developers reports:

Improper Input Validation issues in HTTP Request processing (CVE-2020-8449, CVE-2020-8450).

Information Disclosure issue in FTP Gateway (CVE-2019-12528).

Buffer Overflow issue in ext_lm_group_acl helper (CVE-2020-8517).

< 4.10

Squid Team reports:

Problem Description: Due to incorrect data management Squid is vulnerable to a information disclosure when processing HTTP Digest Authentication.

Severity: Nonce tokens contain the raw byte value of a pointer which sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.

< 4.9

Louis Dion-Marcil reports:

Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses.

This problem allows a remote server delivering certain ESI response syntax to trigger a denial of service for all clients accessing the Squid service.

Due to unrelated changes Squid-3.5 has become vulnerable to some regular ESI server responses also triggering this issue.

This problem is limited to the Squid custom ESI parser. Squid built to use libxml2 or libexpat XML parsers do not have this problem.

Due to incorrect pointer handling Squid is vulnerable to denial of service attack when processing ESI responses or downloading intermediate CA certificates.

This problem allows a remote client delivering certain HTTP requests in conjunction with certain trusted server responses to trigger a denial of service for all clients accessing the Squid service.

< 3.5.27_3

< 4.0.23

Squid security advisory 2016:5 reports:

Due to incorrect buffer management Squid cachemgr.cgi tool is vulnerable to a buffer overflow when processing remotely supplied inputs relayed to it from Squid.

This problem allows any client to seed the Squid manager reports with data that will cause a buffer overflow when processed by the cachemgr.cgi tool. However, this does require manual administrator actions to take place. Which greatly reduces the impact and possible uses.

Squid security advisory 2016:6 reports:

Due to buffer overflow issues Squid is vulnerable to a denial of service attack when processing ESI responses. Due to incorrect input validation Squid is vulnerable to public information disclosure of the server stack layout when processing ESI responses. Due to incorrect input validation and buffer overflow Squid is vulnerable to remote code execution when processing ESI responses.

These problems allow ESI components to be used to perform a denial of service attack on the Squid service and all other services on the same machine. Under certain build conditions these problems allow remote clients to view large sections of the server memory. However, the bugs are exploitable only if you have built and configured the ESI features to be used by a reverse-proxy and if the ESI components being processed by Squid can be controlled by an attacker.

< 3.5.17

Squid security advisory 2016:2 reports:

Due to incorrect bounds checking Squid is vulnerable to a denial of service attack when processing HTTP responses.

These problems allow remote servers delivering certain unusual HTTP response syntax to trigger a denial of service for all clients accessing the Squid service.

HTTP responses containing malformed headers that trigger this issue are becoming common. We are not certain at this time if that is a sign of malware or just broken server scripting.

< 3.5.15

Squid security advisory 2015:2 reports:

Squid configured with cache_peer and operating on explicit proxy traffic does not correctly handle CONNECT method peer responses.

The bug is important because it allows remote clients to bypass security in an explicit gateway proxy.

However, the bug is exploitable only if you have configured cache_peer to receive CONNECT requests.

< 3.5.6

The squid-cache project reports:

Due to incorrect buffer management Squid can be caused by an attacker to write outside its allocated SNMP buffer.

< 3.4.8

gt 0

< 3.3.13_2

Squid developers report:

Due to missing input validation Squid cachemgr.cgi tool is vulnerable to a denial of service attack when processing specially crafted requests.

This problem allows any client able to reach the cachemgr.cgi to perform a denial of service attack on the service host.

The nature of the attack may cause secondary effects through resource consumption on the host server.

< 2.7.9_4

ge 3.1 lt 3.1.23

ge 3.2 lt 3.2.6

ge 3.3 lt 3.3.0.3

Squid secuirty advisory reports:

Due to incorrect bounds checking Squid is vulnerable to a denial of service check during some cache update reply processing.

This problem allows any client trusted to use the service to perform a denial of service attack on the Squid service.

ge 2.0 lt 2.6.16_1

ge 3.* lt 3.0.r1.20071001_1

A Secunia Advisory reports:

M.A.Young has reported a vulnerability in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in handling certain FTP server responses. This can be exploited to crash Squid by visiting a malicious FTP server via the proxy.

< 2.5.11_3

The squid patches page notes:

After certain slightly odd requests Squid crashes with a segmentation fault in sslConnectTimeout.

< 2.5.10_5

The squid patches page notes:

Squid crashes with the above assertion failure [assertion failed: store.c:523: "e->store_status == STORE_PENDING"] in certain conditions involving aborted requests.

< 2.5.10_5

The Squid team reported several denial-of-service vulnerabilities related to the handling of DNS responses and NT Lan Manager messages. These may allow an attacker to crash the Squid cache.

< 2.5.9

The squid patches page notes:

An inconsistent state is entered on a failed PUT/POST request making a high risk for segmentation faults or other strange errors

le 2.5.7_12

The squid patches page notes:

This patch addresses a HTTP protocol mismatch related to oversized reply headers. In addition it enhances the cache.log reporting on reply header parsing failures to make it easier to track down which sites are malfunctioning.

It is believed that this bug may lead to cache pollution or allow access controls to be bypassed.

< 2.5.7_12

According to the Squid Proxy Cache Security Update Advisory SQUID-2005:3,

The WCCP recvfrom() call accepts more data than will fit in the allocated buffer. An attacker may send a larger-than-normal WCCP message to Squid and overflow this buffer.

Severity:

The bug is important because it allows remote attackers to crash Squid, causing a disription in service. However, the bug is exploitable only if you have configured Squid to send WCCP messages to, and expect WCCP replies from, a router.

Sites that do not use WCCP are not vulnerable.

Note that while the default configuration of the FreeBSD squid port enables WCCP support in general, the default configuration supplied does not actually configure squid to send and receive WCCP messages.

< 2.5.7_10

The squid patches page notes:

This patch makes Squid considerably stricter while parsing the HTTP protocol.

1. A Content-length header should only appear once in a valid request or response. Multiple Content-length headers, in conjunction with specially crafted requests, may allow Squid's cache to be poisoned with bad content in certain situations.
2. CR characters is only allowed as part of the CR NL line terminator, not alone. This to ensure that all involved agrees on the structure of HTTP headers.
3. Rejects requests/responses that have whitespace in an HTTP header name.

To enable these strict parsing rules, update to at least squid-2.5.7_9 and specify relaxed_header_parser off in squid.conf.

< 2.5.7_9

According to a whitepaper published by Sanctum, Inc., it is possible to mount cache poisoning attacks against, among others, squid proxies by inserting false replies into the HTTP stream.

The squid patches page notes:

This patch additionally strengthens Squid from the HTTP response attack described by Sanctum.

< 2.5.7_8

The LDAP authentication helper did not strip leading or trailing spaces from the login name. According to the squid patches page:

LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting.

Workaround: Block logins with spaces

	    acl login_with_spaces proxy_auth_regex [:space:]
		    http_access deny login_with_spaces
	    

< 2.5.7_7

The squid patches page notes:

WCCP_I_SEE_YOU messages contain a 'number of caches' field which should be between 1 and 32. Values outside that range may crash Squid if WCCP is enabled, and if an attacker can spoof UDP packets with the WCCP router's IP address.

< 2.5.7_6

The squid patches page notes:

A malicious gopher server may return a response with very long lines that cause a buffer overflow in Squid.

Workaround: Since gopher is very obscure these days, do not allow Squid to any gopher servers. Use an ACL rule like:

acl Gopher proto gopher
http_access deny Gopher

< 2.5.7_6

The squid patches page notes:

This patch adds access controls to the cachemgr.cgi script, preventing it from being abused to reach other servers than allowed in a local configuration file.

< 2.5.10

The squid patches page notes:

Malicious users may spoof DNS lookups if the DNS client UDP port (random, assigned by OS as startup) is unfiltered and your network is not protected from IP spoofing.

< 2.5.10

The squid patches page notes:

Squid may crash with the above error [FATAL: Incorrect scheme in auth header] when given certain request sentences.

Workaround: disable NTLM authentication.

< 2.5.10_6

Applying an empty ACL list results in unexpected behavior: anything will match an empty ACL list. For example,

The meaning of the configuration gets very confusing when we encounter empty ACLs such as

acl something src "/path/to/empty_file.txt"

http_access allow something somewhere

gets parsed (with warnings) as

http_access allow somewhere

And similarily if you are using proxy_auth acls without having any auth schemes defined.

< 2.5.7_5

The squid-2.5 patches pages notes:

In certain conditions Squid returns random data as error messages in response to malformed host name, possibly leaking random internal information which may come from other requests.

< 2.5.7_4

A remote attacker is able to cause a denial-of-service situation, when NTLM authentication is enabled in squid. NTLM authentication uses two functions which lack correct offset checking.

< 2.5.7

The Squid-2.5 patches page notes:

If a certain malformed SNMP request is received squid restarts with a Segmentation Fault error.

This only affects squid installations where SNMP is explicitly enabled via "make config". As a workaround, SNMP can be disabled by defining "snmp_port 0" in squid.conf.

Squid security advisory SQUID-2008:1 explains that Squid-3 versions up to and including Squid-3.0.STABLE6 are affected by this error, too.

< 2.5.7

ge 3.0.0 lt 3.0.7

Remote exploitation of a buffer overflow vulnerability in the NTLM authentication helper routine of the Squid Web Proxy Cache could allow a remote attacker to execute arbitrary code. A remote attacker can compromise a target system if the Squid Proxy is configured to use the NTLM authentication helper. The attacker can send an overly long password to overflow the buffer and execute arbitrary code.

< 2.5.5_9

From the Squid advisory:

Squid versions 2.5.STABLE4 and earlier contain a bug in the "%xx" URL decoding function. It may insert a NUL character into decoded URLs, which may allow users to bypass url_regex ACLs.

< 2.5.5

Mikhail Evdokimov (aka konata) reports:

Due to inconsistent handling of internal URIs Squid is vulnerable to Exposure of Sensitive Information about clients using the proxy. This problem allows a trusted client to directly access cache manager information bypassing the manager ACL protection. The available cache manager information contains records of internal network structure, client credentials, client identity and client traffic behaviour.

< 5.7

The squid-cache project reports:

• Denial of Service in FTP
• Request/Response smuggling in HTTP/1.1 and ICAP
• Denial of Service in HTTP Digest Authentication

< 6.4