Squid vulnerabilities

Updated 4/15/02
CVE 1999-0710
CAN 1999-1273
CVE 1999-1481
CVE 2001-0843
CVE 2001-1030
CVE 2002-0163
CVE 2002-0067
CVE 2002-0068
CVE 2002-0069

Impact

A remote attacker could cause a denial of service or execute arbitrary commands.

Background

Squid is an open-source, full-featured Web Proxy for Unix. It performs proxying and caching of HTTP, FTP, and other services.

The Problems

Heap overflow in compressed DNS message handling

4/15/02
CVE 2002-0163
A heap overflow in the processing of compressed DNS answer messages could cause the Squid process to stop with a segmentation fault. This could allow a remote attacker who has control of a DNS server to crash the Squid proxy. Squid 2.4.STABLE4 and earlier, and pre-release versions of Squid 2.5 and 2.6 downloaded prior to March 12, 2002 are affected by this vulnerability.

FTP proxy buffer overflow

2/25/02
CVE 2002-0068
When processing FTP proxy requests, Squid allocates a buffer based upon the size of the original request, but copies into that buffer a string which may contain URL-encoded characters, which could overflow the buffer. This condition, if exploited a number of times, could lead to a denial of service. It could also be possible for a remote attacker to execute arbitrary commands. Versions of Squid prior to 2.4.STABLE4 are affected by this vulnerability.

Access Control List bypass vulnerabilities

4/15/02
CAN 1999-1273
CVE 2001-1030
Multiple vulnerabilities could allow a remote attacker to bypass the access control lists on a Squid proxy, thus permitting port scanning and possibly remote access from unauthorized hosts. Squid versions prior to 2.4.STABLE3 may be affected by one or more of these vulnerabilities.

Newline Authentication Flaw

2/25/02
CVE 1999-1481
When authenticating to the Squid proxy service, a client sends a base-64 encoded user name and password pair. When the server decodes the pair, it does not remove newline and carriage return characters. Pairs containing newline and carriage return characters are interpreted as two pairs instead of one, thereby using one pair for authentication of the current client, and queueing the second pair for the next client. If the service is actively used by users with valid user name and password pairs, an attacker could exploit this situation and gain access to the service due to a prior user's user name and password being at the front of the queue.

Squid 2.2.STABLE5 and earlier are affected by this vulnerability.

FTP PUT denial of service

2/25/02
CVE 2001-0843
A request to the Squid proxy server which uses the PUT request method for an FTP address could cause the proxy service to crash if the request only creates a directory (mkdir). Versions of Squid prior to 2.4.STABLE3 are affected by this vulnerability.

Other miscellaneous vulnerabilities

2/25/02
CVE 1999-0710
CVE 2002-0067
CVE 2002-0069
Other miscellaneous vulnerabilities in outdated versions of Squid in certain configurations could allow a remote attacker to consume system resources or conduct unauthorized port scanning.

Resolution

Upgrade to version 2.4.STABLE6 or higher. Updates are available from the Squid web site.

Where can I read more about this?

For more information on the heap overflow in compressed DNS message handling, see Squid Advisory 2002:2.

For more information on the FTP proxy buffer overflow, see Squid Advisory 2002:1 and Bugtraq.

For more information on the access control list bypass vulnerabilities, see Squid Advisory 2002:1, Bugtraq, and Bugtraq again.

For more information on the proxy authentication flaw, see the X-Force Bulletin and Bugtraq.

For more information on the FTP PUT denial of service, see SuSE Security Announcement 2001-037, RedHat Security Advisory 2001:113, and Bugtraq.

For more information on other Squid vulnerabilities, see Squid Advisory 2002:1 and X-Force, Red Hat Security Advisory 1999:025, and Bugtraq.