Date: Wed, 11 Oct 2023 09:55:24 +0200 From: Joshua Rogers <megamansec@...il.com> To: oss-security@...ts.openwall.com Subject: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Dear oss-security, Two and a half years ago an independent audit was performed on The Squid Caching Proxy, which ultimately resulted in 55 vulnerabilities being discovered in the project's C++ source code. Although some of the issues have been fixed, the majority (35) remain valid. The majority have not been assigned CVEs, and no patches or workarounds are available. Some of the listed issues concern more than one bug, which is why 45 issues are listed, despite there being 55 vulnerabilities in total (10 extra of the result of similar, but different pathways to reproduce a vulnerability). After two and a half years of waiting, I have decided to release the issues publicly. The Squid Project is aware of this release. The issues are listed below. Due to the sheer size of issues discovered, technical details are not included in this email. However, breakdowns of the code and proof-of-concepts can be found on GitHub: https://megamansec.github.io/Squid-Security-Audit/ ---- Stack Buffer Overflow in Digest Authentication Use-After-Free in TRACE Requests Partial Content Parsing Use-After-Free CVE-2021-31807 X-Forwarded-For Stack Overflow Chunked Encoding Stack Overflow Use-After-Free in Cache Manager Errors Cache Poisoning by Large Stored Response Headers (With Bonus XSS) Memory Leak in CacheManager URI Parsing CVE-2021-28652 RFC 2141 / 2169 (URN) Response Parsing Memory Leak CVE-2021-28651 Memory Leak in HTTP Response Parsing Memory Leak in ESI Error Processing 1-Byte Buffer OverRead in RFC 1123 date/time Handling Null Pointer Dereference in Gopher Response Handling GHSA-cg5h-v6vc-w33f One-Byte Buffer OverRead in HTTP Request Header Parsing strlen(NULL) Crash Using Digest Authentication Assertion in ESI Header Handling Integer Overflow in Range Header CVE-2021-31808 Gopher Assertion Crash Whois Assertion Crash Assertion in Gopher Response Handling RFC 2141 / 2169 (URN) Assertion Crash Vary: Other HTTP Response Assertion Crash CVE-2021-28662 Assertion in Negotiate/NTLM Authentication Using Pipeline Prefetching Assertion on IPv6 Host Requests with –disable-ipv6 Assertion Crash on Unexpected “HTTP/1.1 100 Continue” Response Header Pipeline Prefetch Assertion With Double ‘Expect:100-continue’ Request Headers Pipeline Prefetch Assertion With Invalid Headers Assertion Crash in Deferred Requests Assertion in Digest Authentication FTP URI Assertion FTP Authentication Crash Unsatisfiable Range Requests Assertion CVE-2021-31806 Crash in Content-Range Response Header Logic CVE-2021-33620 Assertion Crash In HTTP Response Headers Handling Implicit Assertion in Stream Handling Buffer UnderRead in SSL CN Parsing Use-After-Free in ESI ‘Try’ (and ‘Choose’) Processing Use-After-Free in ESI Expression Evaluation Buffer Underflow in ESI Assertion in Squid “Helper” Process Creator Assertion Due to 0 ESI ‘when’ Checking Assertion Using ESI’s When Directive Assertion in ESI Variable Assignment (String) Assertion in ESI Variable Assignment Null Pointer Dereference In ESI’s esi:include and esi:when ---- Cheers, Josh
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.