__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2004:2 __________________________________________________________________ Advisory ID: SQUID-2004:2 Date: June 7, 2004 Summary: Buffer overflow bug in 'ntlm_auth' authentication helper. Affected versions: Squid-2.5 up to and including 2.5.STABLE5 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2004_2.txt __________________________________________________________________ Problem Description: Squid supports numerous external authentication helper programs, which are used to validate credentials taken from HTTP requests. One of these helper programs, named 'ntlm_auth,' contains a buffer overflow bug that may allow malicious users to execute arbitrary code. The affected source code file is helpers/ntlm_auth/SMB/libntlmssp.c. The affected binary is named 'ntlm_auth'. The buffer overflow bug exists because the code uses a fixed-size character array to hold a password, but does not check the amount of data copied to that buffer. A user can generate a long password that either crashes the helper process or causes it to execute arbitrary code. Note: the Samba-3 package also includes a program named 'ntlm_auth' that can be used as a Squid authenticator. The Samba-3 version of 'ntlm_auth' is not vulnerable to the problem described here and we recommend using it over the Squid version in any case. ------------------------------------------------------------------ Severity: If you are using the 'ntlm_auth' helper from Squid, you should upgrade your installation immediately. This overflow bug may allow an attacker to execute arbitrary code by overwriting the process stack. Note that the 'ntlm_auth' helper does not run as root; it executes under the same userid as the primary Squid process. __________________________________________________________________ Updated Packages: The Squid-2.5.STABLE6 release contains a fix for this problem. You can download the Squid-2.5.STABLE6 release from ftp://ftp.squid-cache.org/pub/archive/2.5/ http://www.squid-cache.org/Versions/v2/2.5/ or the mirrors (may take a while before all mirrors are updated). For a list of mirror sites see http://www.squid-cache.org/Download/ftp-mirrors.html http://www.squid-cache.org/Download/http-mirrors.html Individual patches to the mentioned issues can be found from our patch archive for version Squid-2.5.STABLE5: http://www.squid-cache.org/Versions/v2/2.5/bugs/ The patches should also apply with only a minimal effort to earlier Squid 2.5 versions if required. If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: You are not vulnerable if you are using the 'ntlm_auth' program that comes with Samba-3. If your squid.conf file as a line that starts with 'auth_param ntlm program' and also contains the string '--helper-protocol=' then you are using the Samba-3 version. You are vulnerable if you have configured Squid to compile and use the NTLM SMB authentication helper in Squid version 2.5.STABLE5 and earlier. Run the following command to determine which version of Squid you are using: squid -v You can also search for the ntlm_auth binary in the directory where Squid is installed. By default it will be /usr/local/squid/libexec/ntlm_auth. Also check your squid.conf file for the string 'ntlm_auth'. If you have the file installed, but are not referencing it in squid.conf, then your installation is not vulerable. In that case, you should remove the unused binary to be safe. If you are using a binary or otherwise pre-packaged version please verify with your vendor on which versions are affected as some vendors ship earlier versions with the needed patches applied. Note that unless you have upgraded to a version released after 2004-06-07 you may be vulnerable to this bug. __________________________________________________________________ Other versions of Squid: NTLM support was introduced in Squid-2.5. Earlier versions are not vulnerable. Even so, versions prior to the 2.5 series are deprecated, please update to Squid-2.5.STABLE6 if you are using a version older than 2.5. These changes have also been made to the Squid-3 source tree. __________________________________________________________________ Workarounds: One workaround is to use the 'ntlm_auth' binary from the Samba-3 sources. That version has a somewhat different command line syntax that Squid's, so be sure to read the Samba-3 documentation for 'ntlm_auth'. Another workaround is to temporarily disable Squid's 'ntlm_auth' authenticator until it has been patched. You may need to use another authentication technique during that time, however. It is also a good idea to place rules in your http_access list that deny all requests from outside your organization (e.g., using the 'src' ACL type). Place these rules before any 'proxy_auth' rules so that an outsider's request is refused before Squid attempts to validate it with the 'ntlm_auth' helper. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support: Your first point of contact should be your binary package vendor. If your install is built from the original Squid sources, then the squid-users@squid-cache.org mailing list is your primary support point. (see for subscription details). For bug reporting, particularly security related bugs the squid-bugs@squid-cache.org mailing list is the appropriate forum. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. For non security related bugs, the squid bugzilla database should be used . __________________________________________________________________ Credits: The vulerability was reported by Michael Sutton of iDEFENSE Labs. (www.idefense.com). Duane Wessels developed the patch for libntlmssp.c. __________________________________________________________________ Revision history: 2004-06-07 23:00 GMT Initial release 2004-06-13 14:44 GMT Cosmetic update 2010-09-16 07:05 GMT Reference link updates __________________________________________________________________ END