Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Dec 2016 03:30:26 +1300
From: Amos Jeffries <squid3@...enet.co.nz>
To: oss-security@...ts.openwall.com
Subject: CVE Request - squid HTTP proxy multiple Information Disclosure issues

Hi,

Two issues have been fixed in the latest Squid HTTP Proxy releases, both
result in Cookie headers and other client-specific private information
being delivered on cached responses to the wrong clients. Since Cookie
often carries security credentials or session keys we consider these
issues to have a high severity rating.


Issue #1:

 Incorrect processing of responses to If-None-Modified HTTP conditional
requests leads to client-specific Cookie data being leaked to other
clients. Attack requests can easily be crafted by a client to probe a
cache for this information.

Vulnerable Squid Versions:
 3.1.10 up to and including 3.1.23
 3.2.0.3 up to and including 3.5.22
 4.0.1 up to and including 4.0.16

Reference URLs will be:
 <http://www.squid-cache.org/Advisories/SQUID-2016_11.txt>
 <http://bugs.squid-cache.org/show_bug.cgi?id=4169>
 <http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2016_11.patch>
 <http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_11.patch>
 <http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_11.patch>
 <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_11.patch>
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_11.patch>
 <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2016_11.patch>


For Mitre: the CVE critical leak was due to these lines in
src/client_side_reply.cc:

     bool matchedIfNoneMatch = false;
     if (r.header.has(HDR_IF_NONE_MATCH)) {
        if (!e->hasIfNoneMatchEtag(r)) {
...
-            http->logType = LOG_TCP_MISS;
-            sendMoreData(result);

This last line should have called "  processMiss(result); ". The
remainder of the patch changes are behaviour fixes to ensure other leaks
can not occur in any related HTTP transaction cases.



Issue #2:

 Incorrect HTTP Request header comparison results in Collapsed
Forwarding feature mistakenly identifying some private responses as
being suitable for delivery to multiple clients.

 The current fix is not quite complete. However we believe the remaining
headers leaked are not a serious security issue.

Vulnerable Squid Versions:
 3.5.0.1 up to and including 3.5.22
 4.0.1 up to and including 4.0.16

Reference URLs:
 <http://www.squid-cache.org/Advisories/SQUID-2016_10.txt>
 <http://www.squid-cache.org/Versions/v4/changesets/squid-4-14956.patch>
 for squid-3.5 excluding 3.5.22:
<http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_10_a.patch>
 for 3.5.22 only:
 <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14127.patch>



Amos Jeffries
The Squid Software Foundation



Download attachment "signature.asc" of type "application/pgp-signature" (835 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.