search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Squid remote denial-of-service vulnerability

Vulnerability Note VU#232881

Original Release Date: 2007-12-10 | Last Revised: 2008-01-18

Overview

The Squid Proxy server contains a vulnerability that may allow an attacker to create a denial-of-service condition that affects the Squid server and systems that rely on it.

Description

Squid Proxy Cache is a caching proxy that supports the HTTP, HTTPS, and FTP protocols. Squid can also be deployed as a reverse proxy.

From Squid Proxy Cache Security Update Advisory SQUID-2007:2
Due to incorrect bounds checking Squid is vulnerable to a denial of service check during some cache update reply processing.
This incorrect bounds checking occurs within the httpHeaderUpdate() function when processing cache update replies.

Impact

An attacker who can access the Squid proxy may be able to cause the proxy server to crash. If the Squid proxy is deployed as a reverse proxy, the web servers relying on the proxy may also be affected.

Solution

Update
The Squid team has released patches 11780 and 11211 to address this issue. Administrators who obtain Squid from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.


Restrict access

Restricting access to the Squid proxy via access control lists or firewall rules may prevent this vulnerability from being exploited by remote attackers..

Vendor Information

232881
 
Affected   Unknown   Unaffected

IPCop

Notified:  December 10, 2007 Updated:  December 11, 2007

Status

  Vulnerable

Vendor Statement

In order to address this issue the IPCop team released version 1.4.18 on the 2nd of December. All users of IPCop should upgrade to version 1.4.18.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://ipcop.cvs.sourceforge.net/ipcop/ipcop/lfs/squid?view=log&pathrev=IPCOP_v1_4_0 for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  December 10, 2007 Updated:  December 11, 2007

Status

  Vulnerable

Vendor Statement

This issue affects the Squid package as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. The Red Hat Security Response Team has rated this issue as having moderate security impact. We are currently working on producing errata packages, when complete these will be available along with our advisory at the URL below.

http://rhn.redhat.com/cve/CVE-2007-6239.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux

Notified:  December 10, 2007 Updated:  January 18, 2008

Status

  Vulnerable

Vendor Statement

SUSE is affected by this problem, and we have released updated squid packages to fix it.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://www.novell.com/linux/security/advisories/suse_security_announce_62.html for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Squid

Updated:  December 10, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://www.squid-cache.org/Advisories/SQUID-2007_2.txt for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer, Inc.

Notified:  December 10, 2007 Updated:  December 11, 2007

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation

Notified:  December 10, 2007 Updated:  December 11, 2007

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD

Notified:  December 10, 2007 Updated:  December 11, 2007

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  December 10, 2007 Updated:  December 11, 2007

Status

  Not Vulnerable

Vendor Statement

Openwall GNU/*/Linux is not affected. We do not currently package Squid.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC Corporation

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SmoothWall

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  December 10, 2007 Updated:  December 10, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 43 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

The Squid proxy team credits the Wikimedia Foundation for discovering this vulnerability. Adrian Chadd and Henrik Nordstrom are credited for authoring patches that address the issue.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2007-6239
Severity Metric: 7.51
Date Public: 2007-11-27
Date First Published: 2007-12-10
Date Last Updated: 2008-01-18 16:35 UTC
Document Revision: 12

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.