[squid-users] Squid Security Advisory: Remote denial of service in SNMP parser

__________________________________________________________________

       Squid Proxy Cache Security Update Advisory SQUID-2008:1
__________________________________________________________________

Advisory ID: SQUID-2008:1
Date: June 22, 2008
Summary: Remote denial of service in SNMP parser
Affected versions: All 3.0 versions up to 3.0.STABLE7
__________________________________________________________________

      http://www.squid-cache.org/Advisories/SQUID-2004_3.txt
      http://www.squid-cache.org/Advisories/SQUID-2008_1.txt
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0918
__________________________________________________________________

Problem Description:

  Advisory 2004-3 was fixed in 2.5.STABLE7 and all later 2.x releases,
  but was unfortunately not duplicated in the 3.x branch.

  A bug exists in the ASN1 parser used in Squid's SNMP library. This
  code fails to fully validate certain fields in SNMP queries. A
  specially-crafted message may contain negative values, which Squid
  passes to the malloc() function. This may lead to a segmentation
  violation and cause Squid to restart.

------------------------------------------------------------------

Severity:

  The bug is significant because it forces squid to restart, thus
  disrupting active transactions. The buggy code is executed even
  before Squid makes any access control checks (i.e. snmp_access).
__________________________________________________________________

Updated Packages:

  The Squid-3.0.STABLE7 release contains a fix for this
  problem. You can download the Squid-3.0.STABLE7 release from

    ftp://ftp.squid-cache.org/pub/squid-3/STABLE/
    http://www.squid-cache.org/Versions/v3/3.0/

  or the mirrors (may take a while before all mirrors are updated).
  For a list of mirror sites see

    http://www.squid-cache.org/Mirrors/ftp-mirrors.html
    http://www.squid-cache.org/Mirrors/http-mirrors.html

  An individual patch for this issues can be found in our
  patch archive for version Squid-3.0.STABLE6:

    http://www.squid-cache.org/Versions/v3/3.0/changesets/b8826.patch

  If necessary, this short patch should also apply to any version
  of Squid 3.0 released before June 2008.

  If you are using a prepackaged version of Squid then please
  refer to the package vendor for availability information on
  updated packages.

__________________________________________________________________

Determining if your version is vulnerable:

  This bug is present by default in all 3.0 releases before
  3.0.STABLE7 since SNMP support is present by default.

  However, Squid is vulnerable only if it is listening for SNMP
  queries on a UDP port. The default configuration in 3.0 is for
  the SNMP port to be closed.

  Squid is at risk unless built with configure option --disable-snmp.

  You can check if squid.conf contains the 'snmp_port' option with
  a non-zero value.

  Or if Squid's cache.log file contains the following message:

     Accepting SNMP messages on port 3401, FD nn.

__________________________________________________________________

Workarounds:

  The best workaround is to close Squid's SNMP port, at least
  temporarily. Close SNMP port by removing the snmp_port directive
  or setting it to '0'.

  Note that in 3.0 releases the default SNMP port setting is closed.
  This differs form the original 2004-3 advisory.

  If your SNMP agent runs on the same host as Squid, use the loopback
  IP address and use a packet filter rule to block SNMP messages
  from outside hosts. You can bind Squid's SNMP port to the loopback
  address with this directive:

     snmp_incoming_address 127.0.0.1

  Restart or reconfigure Squid after editing squid.conf.

  If your SNMP agent runs on a different host as Squid, configure
  the firewall on your Squid box to only permit SNMP traffic between
  your trusted agent and the Squid SNMP port.

__________________________________________________________________

Contact details for the Squid project:

  For installation / upgrade support: Your first point of contact
  should be your binary package vendor.

  If your install is built from the original Squid sources, then
  the squid-users_at_squid-cache.org mailing list is your primary
  support point. (see <http://www.squid-cache.org/mailing-lists.html>
  for subscription details).

  For bug reporting, particularly security related bugs the
  squid-bugs_at_squid-cache.org mailing list is the appropriate forum.
  It's a closed list (though anyone can post) and security related
  bug reports are treated in confidence until the impact has been
  established. For non security related bugs, the squid bugzilla
  database should be used <http://www.squid-cache.org/bugs/>.

__________________________________________________________________

Credits:

  The vulnerability was reported by iDEFENSE Labs (www.idefense.com).

  Henrik Nordstrom developed the patch for snmplib/asn1.c

__________________________________________________________________

Revision history:

  2004-10-05 00:00 GMT Disclosure of vulnerability by iDEFENSE
  2004-10-25 02:10 GMT Initial release of 2004-3 document
  2008-06-26 01:28 GMT Revision for Squid 3.0 regression
__________________________________________________________________
END
Received on Fri Jun 27 2008 - 10:49:55 MDT