Protección inadecuada de ruta alternativa en Squid
Fecha de publicación:2015-07-09 09:09:00
Gravedad:alta
Sistemas afectados
Todas las versiones de Squid hasta la 3.5.5 incluida.
Descripción
Se ha identificado una vulnerabilidad en Squid que puede permitir a
clientes remotos sortear la seguridad.
Solución
El fallo está corregido en la versión 3.5.6. Para las versiones
anteriores se han publicado actualizaciones:
Squid 3.4
Squid 3.5
Detalle
El investigador Alex Rousskov ha informado de un fallo de seguridad en
el proxy Squid producido por la gestión incorrecta de las respuestas del
método CONNECT, en el caso de que esté configurada la opción de
cache_peer en el fichero squid.conf.
Referencias
Squid Proxy Cache Security Update Advisory SQUID-2015:2
NOTA COMPLETA
__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2015:2
__________________________________________________________________
Advisory ID: SQUID-2015:2
Date: July 06, 2015
Summary: Improper Protection of Alternate Path
Affected versions: Squid 0.x -> 3.5.5
Fixed in version: Squid 3.5.6
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
__________________________________________________________________
Problem Description:
Squid configured with cache_peer and operating on explicit proxy
traffic does not correctly handle CONNECT method peer responses.
__________________________________________________________________
Severity:
The bug is important because it allows remote clients to bypass
security in an explicit gateway proxy.
However, the bug is exploitable only if you have configured
cache_peer to receive CONNECT requests.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 3.5.6.
In addition, patches addressing this problem for stable releases
can be found in our patch archives:
Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch
Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid versions with cache_peer omitted from squid.conf are
not vulnerable to the problem.
All Squid versions with squid.conf containing
"nonhierarchical_direct on" are not vulnerable to the problem.
All Squid-3.1 and later with nonhierarchical_direct omitted from
squid.conf are not vulnerable to the problem.
All other unpatched Squid configured to use a cache_peer without
the "originserver" option are vulnerable to the problem.
__________________________________________________________________
Workaround:
For Squid-3.0 and older ensure squid.conf contains
"nonhierarchical_direct on".
For Squid-3.1 and newer remove nonhierarchical_direct from
squid.conf.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-us...@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-b...@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The vulnerability was reported and fixed by Alex Rousskov, The
Measurement Factory.
__________________________________________________________________
Revision history:
2015-06-16 16:54 GMT Initial Report and Patches Released
2015-05-03 15:37 GMT Packages Released
__________________________________________________________________
END
______________________________________________________________________
Lista de correos del Grupo de Usuarios de Tecnologías Libres de Cuba.
Gutl-l@jovenclub.cu
https://listas.jovenclub.cu/cgi-bin/mailman/listinfo/gutl-l