oss-sec mailing list archives
CVE Request - squid HTTP proxy multiple Information Disclosure issues
From: Amos Jeffries <squid3 () treenet co nz>
Date: Sun, 18 Dec 2016 03:30:26 +1300
Hi, Two issues have been fixed in the latest Squid HTTP Proxy releases, both result in Cookie headers and other client-specific private information being delivered on cached responses to the wrong clients. Since Cookie often carries security credentials or session keys we consider these issues to have a high severity rating. Issue #1: Incorrect processing of responses to If-None-Modified HTTP conditional requests leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information. Vulnerable Squid Versions: 3.1.10 up to and including 3.1.23 3.2.0.3 up to and including 3.5.22 4.0.1 up to and including 4.0.16 Reference URLs will be: <http://www.squid-cache.org/Advisories/SQUID-2016_11.txt> <http://bugs.squid-cache.org/show_bug.cgi?id=4169> <http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2016_11.patch> <http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_11.patch> <http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_11.patch> <http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_11.patch> <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_11.patch> <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2016_11.patch> For Mitre: the CVE critical leak was due to these lines in src/client_side_reply.cc: bool matchedIfNoneMatch = false; if (r.header.has(HDR_IF_NONE_MATCH)) { if (!e->hasIfNoneMatchEtag(r)) { ... - http->logType = LOG_TCP_MISS; - sendMoreData(result); This last line should have called " processMiss(result); ". The remainder of the patch changes are behaviour fixes to ensure other leaks can not occur in any related HTTP transaction cases. Issue #2: Incorrect HTTP Request header comparison results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients. The current fix is not quite complete. However we believe the remaining headers leaked are not a serious security issue. Vulnerable Squid Versions: 3.5.0.1 up to and including 3.5.22 4.0.1 up to and including 4.0.16 Reference URLs: <http://www.squid-cache.org/Advisories/SQUID-2016_10.txt> <http://www.squid-cache.org/Versions/v4/changesets/squid-4-14956.patch> for squid-3.5 excluding 3.5.22: <http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_10_a.patch> for 3.5.22 only: <http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14127.patch> Amos Jeffries The Squid Software Foundation
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request - squid HTTP proxy multiple Information Disclosure issues Amos Jeffries (Dec 17)
- Re: CVE Request - squid HTTP proxy multiple Information Disclosure issues cve-assign (Dec 17)