__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2005:3 __________________________________________________________________ Advisory ID: SQUID-2005:3 Date: January 28, 2005 Summary: Buffer overflow in WCCP recvfrom() call Affected versions: All versions up to and including 2.5.STABLE7 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2005_3.txt __________________________________________________________________ Problem Description: The WCCP recvfrom() call accepts more data than will fit in the allocated buffer. An attacker may send a larger-than-normal WCCP message to Squid and overflow this buffer. __________________________________________________________________ Severity: The bug is important because it allows remote attackers to crash Squid, causing a disription in service. However, the bug is exploitable only if you have configured Squid to send WCCP messages to, and expect WCCP replies from, a router. Sites that do not use WCCP are not vulnerable. __________________________________________________________________ Updated Packages: An individual patch for this issues can be found in our patch archive for version Squid-2.5.STABLE7: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patch If necessary, this short patch should also apply to previous versions of Squid. If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: Your installation is vulnerable if you have configured Squid to send WCCP messages to a router, and thus expect replies from a router. Look for the 'wccp_router' dirctive in your squid.conf file. Also, look for this line in cache.log: Accepting WCCP messages on port 2048, FD 15 __________________________________________________________________ Workarounds: If WCCP is not essential to your operation, disable it by commenting out the 'wccp_router' directive in squid.conf. You may also compile Squid without any WCCP code at all by giving the --disable-wccp option to the ./configure script. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support: Your first point of contact should be your binary package vendor. If your install is built from the original Squid sources, then the squid-users@squid-cache.org mailing list is your primary support point. (see for subscription details). For bug reporting, particularly security related bugs the squid-bugs@squid-cache.org mailing list is the appropriate forum. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. For non security related bugs, the squid bugzilla database should be used . __________________________________________________________________ Credits: The vulnerability was reported by FSC Vulnerability Research Team. __________________________________________________________________ Revision history: 2005-01-28 23:20 GMT Initial release of this document 2010-09-16 07:05 GMT Reference link updates __________________________________________________________________ END