Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 26 Feb 2016 01:45:42 -0500 (EST)
From: cve-assign@...re.org
To: squid3@...enet.co.nz
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> http://www.squid-cache.org/Advisories/SQUID-2016_2.txt

> First issue;
>  the proxy contains a String object class with 64KB content limits.
> Some code paths do not bounds check before appending to these String
> and overflow leads to an assertion which terminates all client
> transactions using the proxy, including those unrelated to the limit
> being exceeded.
> 
> A PoC has already been published for one attack vector using HTTP
> "Vary" response header. When the Vary pattern presented by a server
> expands to more than 64KB the DoS is triggered. For example:
>  Vary: Cookie,Cookie,Cookie,Cookie,...
> However, there are currently 4 known distinct vectors (types of
> remotely provided input) with varying degrees of difficulty to trigger
> the assertion.
> 
> Patch URLs that workaround 3 of those vectors (though not fully solve)
> are:
> http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch
> http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch

Use CVE-2016-2569 for both squid-3.5-13991.patch and
squid-4-14552.patch. There is (currently) no CVE ID for the remaining
unsolved problem associated with this "though not fully solve"
statement.


> This patch fixes the other related variant of the basic problem.
> Though this instance is not triggerable from outside a controlled CDN
> environment:
> http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch
> http://www.squid-cache.org/Versions/v4/changesets/squid-4-14549.patch

Use CVE-2016-2570 for both squid-3.5-13993.patch and
squid-4-14549.patch.


> Error handling for malformed HTTP responses can lead to a second
> assertion with the same effects as the first issue. It is not easily
> triggered in Squid-3 or normally in Squid-4.
> 
> However fixing the String issue makes it become easily triggerable in
> Squid-4, and we do have a history of the assertion itself being
> reported as occuring already but been unable to identify the vectors
> code path to replicate it yet. So believe it can be achieved
> independent of the String issues, even if we are unable so far to
> identify how.
> 
> Patch URLs for this are:
> http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch
> http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch

For 'When we failed to parse a response, do not store the fake
half-baked response (via a replaceHttpReply() call)' in
squid-3.5-13990.patch and 'Do not store the fake half-baked response
(via replaceHttpReply)' in squid-4-14548.patch, use CVE-2016-2571.

For 'Do not use parsing leftovers, such as HTTP response status code'
in squid-4-14548.patch, use CVE-2016-2572.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWz/QtAAoJEL54rhJi8gl5TPsQALWrHbXiNZ0QWpy9rdqQSNFa
OAikawWt2yIudQ4Dozv2DtPU2lzOgb01wyyEs+Y9keUv2eYjxe34/4spJpT2mnOA
HNmzKa7LuCF119D7R1tKwrfKox/9aOZN5AveHbXzg+/LZ/IC4IHz0FDAp4iJPSEi
QJcjEGfOWkIPI/8k5FiimSQVlxlN60VePEB2lFippfDhBGA1c8y9Xyl20f7rrLVB
mF5kFgz/jtiP0WZ03XdzQefKTlc19m/ypMoF5HRJDC41Y549XKwXLwrZIxh6mou+
cDFUWi3DpcwSxLAcoaA9QkqQu9DrH8Yix5d2/Y4GYJFPcKiHDxUn/oAIaAQm8zZU
2rJNtS1HCLrn1k4VV9Q4BYARvRA3tQzHd90hIZMISxN8LU51ck0PKgcgWcx2tyFX
B4dIfH4mbI5/eZQJw8EyZpg/PvEGn2JVxFlJymAH82Hwvw/G/uXYRmaucbw9TaSU
f2ohc7t+SBP1hjnsil8/YSOAoAaG8e74F5RicqwrxTnsNEUsDs9LKlKaCLAewQor
BbSwLs5ktEysG+68+x4vkxm34CJnEZyedoGZhQbM0T+EAZh5y8vGjcYDzRvQ7DIt
7PH8Z/hQXa6GMPDRg8e7QJKwCgQCxU/Nfpg+jAEvfTelf9VMjiBixyf0pnyTvikt
/Wg3iOrRSLlWAPp4xL9Z
=Pghb
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.