[UNIX] Squid Web Proxy Cache Remote DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 10/13/04
- Previous message: SecuriTeam: "[NT] Vulnerability in RPC Runtime Library Allows Information Disclosure and DoS (MS04-029)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 13 Oct 2004 15:23:17 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Squid Web Proxy Cache Remote DoS
------------------------------------------------------------------------
SUMMARY
<http://www.squid-cache.org/> Squid Web Proxy Cache is a full-featured
web proxy cache designed to run on Unix systems. It supports proxying
HTTP, FTP, SSL, DNS, and has support for SNMP.
Remote exploitation of a design error in the SNMP module of Squid Web
Proxy Cache may lead to a denial of service.
DETAILS
Vulnerable Systems:
* Squid Web Proxy Cache version 2.5-STABLE5
* Squid Web Proxy Cache version 3.0-PRE3-20040702
Immune Systems:
* Squid-2.5.STABLE7 and newer
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0918>
CAN-2004-0918
The problem exists due to an ASN1 parsing error where certain header
length combinations can slip through the validations performed by the ASN1
parser, eventually causing the server to restart and close all current
connections. The server takes several seconds to restart.
The offending code is in the asn_parse_header() routine of snmplib/asn1.c,
which under some cases will allow negative length fields to pass
validation. This leads to a failed xmalloc(), and the server then assumes
there is heap corruption or some other exceptional condition, and
restarts.
An attacker can exploit the above-described vulnerability to crash a Squid
server. If the attack is repeated, it can render the server useless. Only
a single UDP packet is required to trigger this vulnerability, so the
source address can be spoofed.
To find if a Squid binary is compiled with SNMP support one can run:
grep snmp_port /usr/local/squid/sbin/squid
Workaround
* Disable SNMP support or filter the port that has SNMP processing
activated (3401 by default) to allow only SNMP data from trusted hosts.
* To disable SNMP support on a squid binary that has SNMP support
compiled in, use the entry snmp_port 0 in the squid.conf configuration
file.
* To allow only the local interface to process SNMP, use the entry
"snmp_incoming_address 127.0.0.1" in the squid.conf configuration file.
Vendor Status:
The vendor has supplied a patch for Squid which fix the problem.
Patch relative to Squid-2.5.STABLE6 can be obtained from
<http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE6-SNMP_core_dump.patch> http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE6-SNMP_core_dump.patch
Otherwise, the newer STABLE7 release is immune to this problem and users
are highly advised to switch to the newer version.
Disclosure Timeline:
09/15/2004 Initial vendor notification
09/15/2004 iDEFENSE clients notified
09/15/2004 Initial vendor response
10/05/2004 Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Vulnerability in RPC Runtime Library Allows Information Disclosure and DoS (MS04-029)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [TOOL] Snmpfuzz - SNMPv1 Fuzzer
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... problem when using it is difficulty
in determining which particular SNMP ... Also, you can not send a single testcase packet,
only the whole ... happened is to run a debugger on the SNMP service problem. ...
(Securiteam) - [NEWS] HP LaserJet Information Disclosure
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... HP LaserJet printers has
an extensive administrative user interface ... provided over SNMP. ... (Securiteam) - [UNIX] Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... exploitation of a buffer overflow
vulnerability in Squid Web Proxy Cache ... Squid Web Proxy Cache supports Basic, Digest
and NTLM authentication. ... (Securiteam) - [NEWS] BT Voyager 2000 Wireless ADSL Router Password Disclosure
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Provided the attacker can associate
to the router, he/she can grab SNMP ... change the SNMP strings. ...
(Securiteam)
