Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 26 Feb 2016 01:45:42 -0500 (EST)
From: cve-assign@...re.org
To: squid3@...enet.co.nz
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://www.squid-cache.org/Advisories/SQUID-2016_2.txt

> First issue;
>  the proxy contains a String object class with 64KB content limits.
> Some code paths do not bounds check before appending to these String
> and overflow leads to an assertion which terminates all client
> transactions using the proxy, including those unrelated to the limit
> being exceeded.
> 
> A PoC has already been published for one attack vector using HTTP
> "Vary" response header. When the Vary pattern presented by a server
> expands to more than 64KB the DoS is triggered. For example:
>  Vary: Cookie,Cookie,Cookie,Cookie,...
> However, there are currently 4 known distinct vectors (types of
> remotely provided input) with varying degrees of difficulty to trigger
> the assertion.
> 
> Patch URLs that workaround 3 of those vectors (though not fully solve)
> are:
> http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch
> http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch

Use CVE-2016-2569 for both squid-3.5-13991.patch and
squid-4-14552.patch. There is (currently) no CVE ID for the remaining
unsolved problem associated with this "though not fully solve"
statement.


> This patch fixes the other related variant of the basic problem.
> Though this instance is not triggerable from outside a controlled CDN
> environment:
> http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch
> http://www.squid-cache.org/Versions/v4/changesets/squid-4-14549.patch

Use CVE-2016-2570 for both squid-3.5-13993.patch and
squid-4-14549.patch.


> Error handling for malformed HTTP responses can lead to a second
> assertion with the same effects as the first issue. It is not easily
> triggered in Squid-3 or normally in Squid-4.
> 
> However fixing the String issue makes it become easily triggerable in
> Squid-4, and we do have a history of the assertion itself being
> reported as occuring already but been unable to identify the vectors
> code path to replicate it yet. So believe it can be achieved
> independent of the String issues, even if we are unable so far to
> identify how.
> 
> Patch URLs for this are:
> http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch
> http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch

For 'When we failed to parse a response, do not store the fake
half-baked response (via a replaceHttpReply() call)' in
squid-3.5-13990.patch and 'Do not store the fake half-baked response
(via replaceHttpReply)' in squid-4-14548.patch, use CVE-2016-2571.

For 'Do not use parsing leftovers, such as HTTP response status code'
in squid-4-14548.patch, use CVE-2016-2572.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWz/QtAAoJEL54rhJi8gl5TPsQALWrHbXiNZ0QWpy9rdqQSNFa
OAikawWt2yIudQ4Dozv2DtPU2lzOgb01wyyEs+Y9keUv2eYjxe34/4spJpT2mnOA
HNmzKa7LuCF119D7R1tKwrfKox/9aOZN5AveHbXzg+/LZ/IC4IHz0FDAp4iJPSEi
QJcjEGfOWkIPI/8k5FiimSQVlxlN60VePEB2lFippfDhBGA1c8y9Xyl20f7rrLVB
mF5kFgz/jtiP0WZ03XdzQefKTlc19m/ypMoF5HRJDC41Y549XKwXLwrZIxh6mou+
cDFUWi3DpcwSxLAcoaA9QkqQu9DrH8Yix5d2/Y4GYJFPcKiHDxUn/oAIaAQm8zZU
2rJNtS1HCLrn1k4VV9Q4BYARvRA3tQzHd90hIZMISxN8LU51ck0PKgcgWcx2tyFX
B4dIfH4mbI5/eZQJw8EyZpg/PvEGn2JVxFlJymAH82Hwvw/G/uXYRmaucbw9TaSU
f2ohc7t+SBP1hjnsil8/YSOAoAaG8e74F5RicqwrxTnsNEUsDs9LKlKaCLAewQor
BbSwLs5ktEysG+68+x4vkxm34CJnEZyedoGZhQbM0T+EAZh5y8vGjcYDzRvQ7DIt
7PH8Z/hQXa6GMPDRg8e7QJKwCgQCxU/Nfpg+jAEvfTelf9VMjiBixyf0pnyTvikt
/Wg3iOrRSLlWAPp4xL9Z
=Pghb
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ