Squid HTTP Proxy Security Update Advisory 2002:1

From: Henrik Nordstrom (hno@squid-cache.org)
Date: 02/21/02


From: Henrik Nordstrom <hno@squid-cache.org>
To: bugtraq@securityfocus.com
Date: Thu, 21 Feb 2002 11:34:55 +0100


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

__________________________________________________________________

      Squid Proxy Cache Security Update Advisory SQUID-2002:1
__________________________________________________________________

Advisory ID: SQUID-2002:1
Date: February 21, 2002
Affected versions: Squid-2.x up to and including 2.4.STABLE3
__________________________________________________________________

       http://www.squid-cache.org/Advisories/SQUID-2002_1.txt
__________________________________________________________________

Problem Description:

 Three security issues have recently been found in the Squid-2.X
 releases up to and including 2.4.STABLE3.

 a) A memory leak in the optional SNMP interface to Squid,
 allowing an malicious user who can send packets to the Squid SNMP
 port to possibly perform an denial of service attack on the Squid
 proxy service if the SNMP interface has been enabled (disabled by
 default).

 b) A buffer overflow in the implementation of ftp:// URLs where
 users who are allowed to proxy ftp:// URLs via Squid can perform
 an denial of service on the proxy service, and possibly even
 trigger remote execution of code (not yet confirmed).

 c) The optional HTCP interface cannot be properly disabled from
 squid.conf even if the documentation claims it can. The HTCP
 interface to Squid is not enabled by default, but can be enabled
 at compile time using the --enable-htcp configure option and some
 vendors distribute Squid binaries with HTCP enabled.

__________________________________________________________________

Updated Packages:

 The Squid-2.4.STABLE4 release contains fixes for all these
 problems. The Squid-2.4.STABLE4 release can be found from

   ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
   http://www.squid-cache.org/Versions/v2/2.4/

 or the mirrors (may take a while before all mirrors are updated).
 For a list of mirror sites see

   http://www.squid-cache.org/Mirrors/ftp-mirrors.html
   http://www.squid-cache.org/Mirrors/http-mirrors.html
   
 Individual patches to the mentioned issues can be found from our
 patch archive for version Squid-2.4.STABLE3

   http://www.squid-cache.org/Versions/v2/2.4/bugs/

 The patches should also apply with only a minimal effort to
 earlier Squid versions if required.

__________________________________________________________________

Determining if your are vulnerable:

 You are vulnerable to the SNMP issue if you are running any 2.x
 version of squid up to squid-2.4.STABLE3 which has the SNMP agent
 code compiled in (--enable-snmp configure option) and enabled in
 squid.conf (snmp_port option). You can check to see whether the
 SNMP code is enabled by looking for the following message in
 cache.log when Squid is started:

   'Accepting SNMP messages on port'

 Similarly for the HTCP issue, but looking for the message
  
   'Accepting HTCP messages on port'

 The ftp:// issue cannot be verified as easily, but if you are
 running Squid-2.3 or Squid-2.4 up to and including
 Squid-2.4.STABLE3 then you are most likely vulnerable to the
 ftp:// issue unless you have taken action.

__________________________________________________________________

Workarounds:

 For the SNMP issue, make sure the SNMP port cannot be reached by
 malicious users. The safest method is to disable the SNMP support
 entirely in the configuration file squid.conf if SNMP has been
 enabled in your binary

   snmp_port 0

 Or at least restrict it to only listen for SNMP on a trusted
 interfaces such as localhost by using the snmp_incoming_address
 directive

   snmp_incoming_address 127.0.0.1

 The FTP issue can be worked around by denying access to
 non-anonymous FTP via Squid. Insert the following two lines at
 the top of your squid.conf:

   acl non-anonymous-ftp url_regex -i ^ftp://[^/@]*@
   http_access deny non-anonymous-ftp

 The HTCP issue cannot be worked around fully by configuration
 alone, but you can restrict which IP address HTCP is listening
 for messages on by using the udp_incoming_address directive. Make
 sure your binary isn't compiled with support for HTCP unless you
 have a reason to use HTCP.

 We also encourage you to take advantage of packet filtering
 features of your operating system (e.g, ipchains, iptables,
 ipfw, pf) and/or routers/firewalls to discard Squid SNMP (UDP
 port 3401) or HTCP (UDP port 4827) queries from hosts outside
 of your organization unless specifically authorized to use these
 protocols.

__________________________________________________________________
END
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iEYEARECAAYFAjx0zVMACgkQ7oQzBsSTDmUoHQCdGfOAd7Oaw+1DXtLWX/LuhfON
mZIAnRvlr9lExDZ7Qm0GUnEBTbzT1UHg
=r/VE
-----END PGP SIGNATURE-----