Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 11 Oct 2023 09:55:24 +0200
From: Joshua Rogers <megamansec@...il.com>
To: oss-security@...ts.openwall.com
Subject: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.

Dear oss-security,

Two and a half years ago an independent audit was performed on The Squid
Caching Proxy, which ultimately resulted in 55 vulnerabilities being
discovered in the project's C++ source code.

Although some of the issues have been fixed, the majority (35) remain
valid. The majority have not been assigned CVEs, and no patches or
workarounds are available. Some of the listed issues concern more than one
bug, which is why 45 issues are listed, despite there being 55
vulnerabilities in total (10 extra of the result of similar, but different
pathways to reproduce a vulnerability).

After two and a half years of waiting, I have decided to release the issues
publicly. The Squid Project is aware of this release.

The issues are listed below. Due to the sheer size of issues discovered,
technical details are not included in this email. However, breakdowns of
the code and proof-of-concepts can be found on GitHub:
https://megamansec.github.io/Squid-Security-Audit/

----
Stack Buffer Overflow in Digest Authentication
Use-After-Free in TRACE Requests
Partial Content Parsing Use-After-Free CVE-2021-31807
X-Forwarded-For Stack Overflow
Chunked Encoding Stack Overflow
Use-After-Free in Cache Manager Errors
Cache Poisoning by Large Stored Response Headers (With Bonus XSS)
Memory Leak in CacheManager URI Parsing CVE-2021-28652
RFC 2141 / 2169 (URN) Response Parsing Memory Leak CVE-2021-28651
Memory Leak in HTTP Response Parsing
Memory Leak in ESI Error Processing
1-Byte Buffer OverRead in RFC 1123 date/time Handling
Null Pointer Dereference in Gopher Response Handling GHSA-cg5h-v6vc-w33f
One-Byte Buffer OverRead in HTTP Request Header Parsing
strlen(NULL) Crash Using Digest Authentication
Assertion in ESI Header Handling
Integer Overflow in Range Header CVE-2021-31808
Gopher Assertion Crash
Whois Assertion Crash
Assertion in Gopher Response Handling
RFC 2141 / 2169 (URN) Assertion Crash
Vary: Other HTTP Response Assertion Crash CVE-2021-28662
Assertion in Negotiate/NTLM Authentication Using Pipeline Prefetching
Assertion on IPv6 Host Requests with –disable-ipv6
Assertion Crash on Unexpected “HTTP/1.1 100 Continue” Response Header
Pipeline Prefetch Assertion With Double ‘Expect:100-continue’ Request
Headers
Pipeline Prefetch Assertion With Invalid Headers
Assertion Crash in Deferred Requests
Assertion in Digest Authentication
FTP URI Assertion
FTP Authentication Crash
Unsatisfiable Range Requests Assertion CVE-2021-31806
Crash in Content-Range Response Header Logic CVE-2021-33620
Assertion Crash In HTTP Response Headers Handling
Implicit Assertion in Stream Handling
Buffer UnderRead in SSL CN Parsing
Use-After-Free in ESI ‘Try’ (and ‘Choose’) Processing
Use-After-Free in ESI Expression Evaluation
Buffer Underflow in ESI
Assertion in Squid “Helper” Process Creator
Assertion Due to 0 ESI ‘when’ Checking
Assertion Using ESI’s When Directive
Assertion in ESI Variable Assignment (String)
Assertion in ESI Variable Assignment
Null Pointer Dereference In ESI’s esi:include and esi:when
----



Cheers,
Josh

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.