__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2014:1
__________________________________________________________________
Advisory ID: SQUID-2014:1
Date: March 09, 2014
Summary: Denial of Service in SSL-Bump
Affected versions: Squid 3.1 -> 3.3.11,
Squid 3.4 -> 3.4.3
Fixed in version: Squid 3.3.12, 3.4.4
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2014_1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128
__________________________________________________________________
Problem Description:
Due to incorrect state management Squid is vulnerable to a denial
of service attack when processing certain HTTPS requests.
__________________________________________________________________
Severity:
This problem allows any client who can generate HTTPS requests
to perform a denial of service attack on the Squid service.
There are popular client software implementations which generate
HTTPS requests and triggering this vulnerability during their
normal activities.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid versions 3.3.12 and 3.4.4.
In addition, patches addressing this problem can be found in
our patch archives.
Squid 3.3:
<http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch>
Squid 3.4:
<http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13104.patch>
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid versions without SSL-Bump feature configured are not
vulnerable.
All Squid-3.0 and older versions, including Squid-2 are not
vulnerable.
All unpatched Squid-3.1 versions are vulnerable.
All unpatched Squid-3.2 versions are vulnerable.
All unpatched Squid-3.3 versions up to and including 3.3.11 are
vulnerable.
All unpatched Squid-3.4 versions up to and including 3.4.3 are
vulnerable.
__________________________________________________________________
Workarounds:
Either
Disable SSL-bump for clients affected by adding "ssl_bump none"
rule(s) at the top of the ssl_bump configuration directives.
Or
Disable SSL-bump featrue completely by removing ssl-bump option
from all http_port and/or https_port configuration directives.
Or
Use TCP_RESET instead of all Squid-generated error pages.
Note that this is only a partial workaround as some error pages
cannot be overridden.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If your install and build Squid from the original Squid sources
then the squid-users@squid-cache.org mailing list is your primary
support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
squid-b...@squid-cache.org mailing list. It's a closed list
(though anyone can post) and security related bug reports are
treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The vulnerability was reported by Mathias Fischer and Fabian
Hugelshofer from Open Systems AG.
Fixes by Alex Rousskov from The Measurement Factory.
__________________________________________________________________
Revision history:
2014-02-21 16:04 GMT Initial Report
2014-02-22 23:51 GMT Patch Provided
2014-03-09 00:14 GMT Packages Released
__________________________________________________________________
END
