[squid-users] [ADVISORY] SQUID-2014:2 Denial of service in request processing

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 28 Aug 2014 04:40:13 +1200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2014:2
__________________________________________________________________

Advisory ID: SQUID-2014:2
Date: August 28, 2014
Summary: Denial of service in request processing
Affected versions: Squid 3.x -> 3.3.12
                        Squid 3.4 -> 3.4.6
Fixed in version: Squid 3.3.13, 3.4.7
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2014_2.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609
__________________________________________________________________

Problem Description:

 Due to incorrect input validation in request parsing Squid is
 vulnerable to a denial of service attack when processing
 Range requests.

__________________________________________________________________

Severity:

 This problem allows any trusted client to perform a denial of
 service attack on the Squid service.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 3.3.13 and 3.4.7

 In addition, patches addressing this problem for stable releases
 can be found in our patch archives:

Squid 3.0:
http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9201.patch

Squid 3.1:
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10488.patch

Squid 3.2:
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11828.patch

Squid 3.3:
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12680.patch

Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13168.patch

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

Squid-3.x:

 All Squid-3.x versions up to and including 3.3.12 are vulnerable
 to the problem.

Squid-3.4:

 All Squid-3.4 versions up to and including 3.4.6 are vulnerable
 to the problem.

__________________________________________________________________

Workaround:

 Add the following access control lines to squid.conf above any
 http_access allow lines:

 acl validRange req_header Range \
  ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$

 acl validRange req_header Request-Range \
  ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$

 http_access deny !validRange

__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the squid-users_at_squid-cache.org mailing list is your primary
 support point. For subscription details see
 http://www.squid-cache.org/Support/mailing-lists.html.

 For reporting of non-security bugs in the latest release
 the squid bugzilla database should be used
 http://bugs.squid-cache.org/.

 For reporting of security sensitive bugs send an email to the
 squid-bugs_at_squid-cache.org mailing list. It's a closed list
 (though anyone can post) and security related bug reports are
 treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 The vulnerability was discovered by Matthew Daley.

__________________________________________________________________

Revision history:

 2014-08-26 11:54 GMT Initial Report
 2014-08-26 18:28 GMT CVE Assignment
 2014-08-27 15:18 GMT Patches and Packages Released
__________________________________________________________________
END

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJT/gntAAoJELJo5wb/XPRjgDwIAJoMyiWY2wMpThWkag6WkqUP
Tn+hsLRc6cBORwyOZNyYSloZh8v4C8WKfl96wTew1sLSZrCrHDx1iLXozJeSRLiW
Mnzv9wN7MdmyhRou4FEspuQj8IjenvSrk4Eg56+vc6g3caUeVHuCzmNdjmPss6q0
3OxFbzIpx69xakhHLXQEG+3LmPPZMz/479mlrb8AsJ2t/4v0GXRyd8KrhL323EFS
ZZCk6o/rZNOnTOVEcABbwWBsvaA1d2WMVSJ9s3adPT9c32n6OyX4UPm8sijGLDkT
mAKk5+3t+nExpaSFjk/Q+708fHR6Iatqgf2UqWWXYcMkQKKdETxFXXwKx6zT7pA=
=lBYi
-----END PGP SIGNATURE-----
Received on Wed Aug 27 2014 - 16:40:26 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 27 2014 - 12:00:12 MDT