Does the HTCP port have to be open towards the attacker or can the attacker exploit the bug through a squid listening port? i.e. If I have a firewall in front of squid (reverse proxy) that only allows port 80/443 in from the web and HTCP is bound to some other port am I at risk from attackers outside my firewall?
-----Original Message----- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Friday, February 12, 2010 6:30 AM To: squid-annou...@squid-cache.org; Squid Subject: Advisory SQUID-2010:2 - Remote Denial of Service issue in HCTP __________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2010:2 __________________________________________________________________ Advisory ID: SQUID-2010:2 Date: February 12, 2010 Summary: Remote Denial of Service issue in HCTP Affected versions: Squid 2.x, Squid 3.0 -> 3.0.STABLE23 Fixed in version: Squid 3.0.STABLE24 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2010_2.txt __________________________________________________________________ Problem Description: Due to incorrect processing Squid is vulnerable to a denial of service attack when receiving specially crafted HTCP packets. __________________________________________________________________ Severity: This problem allows any machine to perform a denial of service attack on the Squid service when its HTCP port is open. __________________________________________________________________ Updated Packages: This bug is fixed by Squid versions 3.0.STABLE24 In addition, patches addressing these problems can be found In our patch archives. Squid 2.7: http://www.squid-cache.org/Versions/v2/2.7/changesets/12600.patch Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/3.0-ADV-2010_2.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-3.0 releases without htcp_port in their configuration file (the default) are not vulnerable. Squid-3.1 releases are not vulnerable. For unpatched Squid-2.x and Squid-3.0 releases; if your cache.log contains a line with "Accepting HTCP messages on port" when run with debug level 1 ("debug_options ALL,1"). Your Squid is vulnerable. Alternatively; for unpatched Squid-2.x and Squid-3.0 releases. If the command squidclient mgr:config | grep "htcp_port" displays a non-zero HTCP port your Squid is vulnerable. __________________________________________________________________ Workarounds: For Squid-2.x: * Configuring "htcp_port 0" explicitly For Squid-3.0: * Ensuring that any unnecessary htcp_port setting left in squid.conf after upgrading to 3.0 are removed. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://www.squid-cache.org/bugs/>. For reporting of security sensitive bugs send an email to the squid-b...@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: The vulnerability was discovered by Kieran Whitbread. __________________________________________________________________ Revision history: 2010-02-12 14:11 GMT Initial Release __________________________________________________________________ END
