SB2020042377 - Multiple vulnerabilities in Squid Proxy Cache
Published: April 23, 2020 Updated: May 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2020-11945)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow when processing HTTP Digest Authentication tokens, if memory pooling is disabled. A remote attacker can pass a specially crafted authentication nonce and execute arbitrary code on the server through the free'd nonce credentials.
In case memory pooling is enabled, a remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Out-of-bounds write (CVE-ID: CVE-2019-12519)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when handling the tag esi:when within ESIExpression::Evaluate. A remote attacker can pass specially crafted data to the application, trigger out-of-bounds write and execute arbitrary code on the target system.
3) Out-of-bounds write (CVE-ID: CVE-2019-12521)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing untrusted input. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it's off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can't affect adjacent memory blocks, and thus just leads to a crash while processing.
Remediation
Install update from vendor's website.
References
- http://master.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch
- http://www.openwall.com/lists/oss-security/2020/04/23/2
- http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch
- https://bugzilla.suse.com/show_bug.cgi?id=1170313
- https://github.com/squid-cache/squid/commit/eeebf0f37a72a2de08348e85ae34b02c34e9a811
- https://github.com/squid-cache/squid/pull/585
- https://www.debian.org/security/2020/dsa-4682
- http://www.squid-cache.org/Advisories/SQUID-2020_4.txt
- http://www.openwall.com/lists/oss-security/2020/04/23/1
- https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12519.txt
- http://www.squid-cache.org/Advisories/SQUID-2019_12.txt
- https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12521.txt