Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3309
SQUID-2020:7 and SQUID-2021:6 security update
6 October 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: squid
Publisher: Squid
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-41611 CVE-2021-28116
Reference: ESB-2021.3294
Original Bulletin:
https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82
https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r
Comment: This bulletin contains two (2) Squid security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2020:12
__________________________________________________________________
Advisory ID: | SQUID-2020:12
Date: | Oct 03, 2021
Summary: | Out-Of-Bounds memory access in WCCPv2
Affected versions: | Squid 2.6 -> 2.7.STABLE9
| Squid 3.x -> 3.5.28
| Squid 4.x -> 4.16
| Squid 5.x -> 5.1
Fixed in version: | Squid 4.17 and 5.2
__________________________________________________________________
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28116>
<https://www.zerodayinitiative.com/advisories/ZDI-CAN-11610>
__________________________________________________________________
Problem Description:
Due to an out of bounds memory access Squid is vulnerable to an
information leak vulnerability when processing WCCPv2 messages.
__________________________________________________________________
Severity:
This problem allows a WCCPv2 sender to corrupt Squids list of
known WCCP routers and divert client traffic to attacker
controlled routers.
This attack is limited to Squid proxy with WCCPv2 enabled and
IP spoofing of a router IP address configured as trusted in
squid.conf.
CVSS Score of 7.7
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N/E:X/RL:O/RC:C/CR:H/IR:H/
AR:X/MAV:N/MAC:H/MPR:N/MUI:X/MS:U/MC:H/MI:H/MA:X&version=3.1>
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid versions 4.17 and 5.2.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:
<http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_12.patch>
Squid 5:
<http://www.squid-cache.org/Versions/v5/changesets/squid-5-7a73a54cefff6bb83c03de219a73276e42d183d0.patch>
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid built with --disable-wccpv2 are not vulnerable.
All Squid-3.x up to and including 3.5.28 built with
--enable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-3.x up to and including 3.5.28 built without
--disable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-4.x up to and including 4.16 built with
--enable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-4.x up to and including 4.16 built without
--disable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-5.x up to and including 5.1 built with
--enable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-5.x up to and including 5.1 built without
--disable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
__________________________________________________________________
Workaround:
Either,
The following network security Best Practices will greatly
restrict the ability of any attacker utilizing this
vulnerability. They can be considered workarounds for this
issue:
* Use Private IP address for control communications (eg WCCPv2)
with routers.
* Firewall restriction of UDP traffic on port 2048 and any
other UDP ports used for WCCP(v2) control messages to only
permit known devices to communicate with WCCP(v2).
Note that ports used by clients and diverted by WCCP (eg 80
or 443) are not relevant.
* Ensure the network implements BCP 38 spoofing protection.
Include protection against LAN traffic spoofing as much as
possible.
See also <http://www.bcp38.info> and
<https://tools.ietf.org/html/bcp38>.
Or,
Build Squid with --disable-wccpv2
Or,
Remove all lines for wccp2_* directives from squid.conf.
The default configuration is not to enable WCCPv2.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the <squid-users@lists.squid-cache.org> mailing list is
your primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
<squid-bugs@lists.squid-cache.org> mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
This vulnerability was discovered by Lyu working with Trend
Micro Zero Day Initiative.
Fixed by Amos Jeffries of Treehouse Networks Ltd.
__________________________________________________________________
Revision history:
2020-08-17 10:43:36 UTC Initial Report
2021-02-09 00:00:00 UTC Advisory Release by ZDI
2021-10-03 00:00:00 UTC Packages Released
__________________________________________________________________
- --------------------------------------------------------------------------------
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2021:1
__________________________________________________________________
Advisory ID: | SQUID-2021:6
Date: | October 3, 2021
Summary: | Improper Certificate Validation in TLS
Affected versions: | Squid 5.0.6 -> 5.1
Fixed in version: | Squid 5.2
__________________________________________________________________
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41611>
__________________________________________________________________
Problem Description:
When validating an origin server or peer certificate, Squid may
incorrectly classify certain certificates as trusted.
__________________________________________________________________
Severity:
This problem allows a remote server to obtain security trust
when the trust is not valid. This indication of trust may be
passed along to clients allowing access to unsafe or hijacked
services.
This problem is guaranteed to occur when multiple CA have
signed the TLS server certificate. It may also occur in cases
of broken server certificate chains.
CVSS Score of 8.4
<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C/CR:H/IR:H/
AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:H/MI:H/MA:X&version=3.1>
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 5.2.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 5:
<http://www.squid-cache.org/Versions/v5/changesets/squid-5-533b4359f16cf9ed15a6d709a57a4b06e4222cfe.patch>
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid-4 and older are not vulnerable.
All Squid-5.0.1 up to and including 5.0.5 are not vulnerable.
All Squid-5.0.6 up to and including 5.1 are vulnerable.
__________________________________________________________________
Workaround:
The only workaround is complete denial to TLS and HTTPS servers
publishing affected certificate chains. The set of affected
servers varies over time and is left out of this document.
acl vulnerableDomains dstdomain .example.net
http_access deny vulnerableDomains
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the <squid-users@lists.squid-cache.org> mailing list is
your primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<https://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
<squid-bugs@lists.squid-cache.org> mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
This vulnerability was discovered by Jean-Paul Larocque of
RodeoTV, LLC.
Fixed by The Measurement Factory.
__________________________________________________________________
Revision history:
2021-09-07 02:54:48 UTC Initial Report
2021-09-24 20:10:37 UTC Patches Released
2021-10-03 00:00:00 UTC Packages Released
__________________________________________________________________
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYV0Wp+NLKJtyKPYoAQjp3A/9EhjHguVtpeUY7+VwSxAyC8hCzCkubOS9
bxTCyJ2ZLgW0YD7KpLhVCUPy7tOs+YlRaJ1U87bRFkxoU8MVLS3WXdvRIx3I2RVM
t9dUtI+/u61VoCShFD+ejkkC/VKc9NYefCQ5ouJU2ftuTDIIC/w6Ih7nYJIZEU/h
rpFbAe9x3E2RFNvIlZL4iMAzpkorb6X3pisQ5ADSr/lSZvy2vjnsg5sg/gHHeaji
bXvVKcUSS9mGmEmt+LHVYeoW4xYYefr6hruA9NMMR2kqFKdePdCNtf//I/a3TXk7
moiL0RUn4xr12P7ghOP1VWr0XDloecuQrciV+j3rCwjY6UKowhun9Aos/vlcuDHt
nYMkX25NAMkjLHziotn2beNxI6lK8m81hHhwRyfxFoKV7PlkGtz96fLoaeC7HNp6
y2AyvUioxZYsrh0BptqMeM6VQCDhHQPHKkRAEEt11rL9CMABX+K+WV76bpv5gBvW
BU270WkuXDN7sgjmIC6wKLOot7rLVbCIDbkZlL487/IETMSmlyaOjw3H/rFLeGMu
cV1Yi0nu32E6TOROKV0zP5p1xgoxoZRvxfc3cJnOXS8QKeD6ThK8tLsTM3Uu5PdC
jmYw9pTlcJyMFnwoTNs8dlF4ho6s6QA+6OjpdoXwJzflFwIfGgm/aRU9PuRt33f7
QT+x31mJY/U=
=nKig
-----END PGP SIGNATURE-----