SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#232881

Squid remote denial-of-service vulnerability

Overview

The Squid Proxy server contains a vulnerability that may allow an attacker to create a denial-of-service condition that affects the Squid server and systems that rely on it.

I. Description

Squid Proxy Cache is a caching proxy that supports the HTTP, HTTPS, and FTP protocols. Squid can also be deployed as a reverse proxy.

From Squid Proxy Cache Security Update Advisory SQUID-2007:2

    Due to incorrect bounds checking Squid is vulnerable to a denial of service check during some cache update reply processing.
This incorrect bounds checking occurs within the httpHeaderUpdate() function when processing cache update replies.

II. Impact

An attacker who can access the Squid proxy may be able to cause the proxy server to crash. If the Squid proxy is deployed as a reverse proxy, the web servers relying on the proxy may also be affected.

III. Solution

Update

The Squid team has released patches 11780 and 11211 to address this issue. Administrators who obtain Squid from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.

Restrict access

Restricting access to the Squid proxy via access control lists or firewall rules may prevent this vulnerability from being exploited by remote attackers..

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Not Vulnerable11-Dec-2007
Conectiva Inc.Unknown10-Dec-2007
Cray Inc.Unknown10-Dec-2007
Debian GNU/LinuxUnknown10-Dec-2007
EMC CorporationUnknown10-Dec-2007
Engarde Secure LinuxUnknown10-Dec-2007
F5 Networks, Inc.Unknown10-Dec-2007
Fedora ProjectUnknown10-Dec-2007
FreeBSD, Inc.Unknown10-Dec-2007
FujitsuUnknown10-Dec-2007
Gentoo LinuxUnknown10-Dec-2007
Hewlett-Packard CompanyUnknown10-Dec-2007
HitachiUnknown10-Dec-2007
IBM CorporationUnknown10-Dec-2007
IBM Corporation (zseries)Unknown10-Dec-2007
IBM eServerUnknown10-Dec-2007
Ingrian Networks, Inc.Unknown10-Dec-2007
IPCopVulnerable11-Dec-2007
Juniper Networks, Inc.Unknown10-Dec-2007
Mandriva, Inc.Unknown10-Dec-2007
Microsoft CorporationNot Vulnerable11-Dec-2007
MontaVista Software, Inc.Unknown10-Dec-2007
NEC CorporationUnknown10-Dec-2007
NetBSDNot Vulnerable11-Dec-2007
NokiaUnknown10-Dec-2007
Novell, Inc.Unknown10-Dec-2007
OpenBSDUnknown10-Dec-2007
Openwall GNU/*/LinuxNot Vulnerable11-Dec-2007
QNX, Software Systems, Inc.Unknown10-Dec-2007
Red Hat, Inc.Vulnerable11-Dec-2007
Silicon Graphics, Inc.Unknown10-Dec-2007
Slackware Linux Inc.Not Vulnerable10-Dec-2007
SmoothWallUnknown10-Dec-2007
Sony CorporationUnknown10-Dec-2007
SquidVulnerable10-Dec-2007
Sun Microsystems, Inc.Unknown10-Dec-2007
SUSE LinuxVulnerable18-Jan-2008
The SCO GroupUnknown10-Dec-2007
Trustix Secure LinuxUnknown10-Dec-2007
TurbolinuxUnknown10-Dec-2007
UbuntuUnknown10-Dec-2007
UnisysUnknown10-Dec-2007
Wind River Systems, Inc.Unknown10-Dec-2007

References


http://www.squid-cache.org/Advisories/SQUID-2007_2.txt
http://wiki.squid-cache.org/SquidFaq/ReverseProxy
http://wiki.squid-cache.org/SquidFaq/SquidAcl#head-c87419712cac704d01cecc7da11cd02f489b6986
http://secunia.com/advisories/27910/

Credit

The Squid proxy team credits the Wikimedia Foundation for discovering this vulnerability. Adrian Chadd and Henrik Nordstrom are credited for authoring patches that address the issue.

This document was written by Ryan Giobbi.

Other Information

Date Public:2007-11-27
Date First Published:2007-12-10
Date Last Updated:2008-01-18
CERT Advisory: 
CVE-ID(s):CVE-2007-6239
NVD-ID(s):CVE-2007-6239
US-CERT Technical Alerts: 
Metric:7.51
Document Revision:12

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader