SecurityTracker.com Archives - (Vendor Issues Advisory) Squid SNMP Parsing Error Lets Remote Users Restart the Proxy Server

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Squid

Vendors: Squid-cache.org

(Vendor Issues Advisory) Squid SNMP Parsing Error Lets Remote Users Restart the Proxy Server

SecurityTracker Alert ID: 1011914

SecurityTracker URL: http://securitytracker.com/id?1011914

CVE Reference: CAN-2004-0918 (Links to External Site)

Date: Oct 25 2004

Impact: Denial of service via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 2.5-STABLE6, 3.0-PRE3-20040702; when compiled with SNMP support

Description: iDEFENSE reported a vulnerability in Squid in the SNMP service. A remote user can cause denial of service conditions.

It is reported that a remote user can supply a specially crafted SNMP packet to trigger an ASN1 parsing error and cause Squid to restart, dropping all current connections.

The flaw resides in the asn_parse_header() function in 'snmplib/asn1.c'.

The system is affected if compiled with SNMP support.

The vendor was notified on September 15, 2004.

The original advisory is available at:

http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities

Impact: A remote user can cause the proxy services to restart.

Solution: The vendor has issued the following fixes [quoted]:

The Squid-2.5.STABLE7 release contains a fix for this
problem. You can download the Squid-2.5.STABLE7 release from

ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
http://www.squid-cache.org/Versions/v2/2.5/

or the mirrors (may take a while before all mirrors are updated).
For a list of mirror sites see

http://www.squid-cache.org/Mirrors/ftp-mirrors.html
http://www.squid-cache.org/Mirrors/http-mirrors.html

An individual patch for this issues can be found in our
patch archive for version Squid-2.5.STABLE6:

http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE6-SNMP_core_dump.patch

Vendor URL: www.squid-cache.org/Advisories/SQUID-2004_3.txt (Links to External Site)

Cause: Exception handling error, Input validation error

Underlying OS: Linux (Any), UNIX (Any)

Message History: This archive entry is a follow-up to the message listed below.

Oct 11 2004

Squid SNMP Parsing Error Lets Remote Users Restart the Proxy Server

Source Message Contents

Date: Mon, 25 Oct 2004 03:14:16 -0400
Subject: http://www.squid-cache.org/Advisories/SQUID-2004_3.txt

 
 
__________________________________________________________________
 
      Squid Proxy Cache Security Update Advisory SQUID-2004:3
__________________________________________________________________
 
Advisory ID:            SQUID-2004:3
Date:                   October 5, 2004
Summary:                Remote denial of service in SNMP parser
Affected versions:      All versions up to and including 2.5.STABLE6
__________________________________________________________________
 
     http://www.squid-cache.org/Advisories/SQUID-2004_3.txt
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0918
__________________________________________________________________
 
Problem Description:
 
 A bug exists in the ASN1 parser used in Squid's SNMP library.  This
 code fails to fully validate certain fields in SNMP queries.  A
 specially-crafted message may contain negative values, which Squid
 passes to the malloc() function.  This may lead to a segmentation
 violation and cause Squid to restart.
 
------------------------------------------------------------------
 
Severity:
 
 The bug is significant because it forces squid to restart, thus
 disrupting active transactions.  The buggy code is executed even
 before Squid makes any access control checks (i.e. snmp_access).
__________________________________________________________________
 
Updated Packages:
 
 The Squid-2.5.STABLE7 release contains a fix for this
 problem. You can download the Squid-2.5.STABLE7 release from
 
   ftp://ftp.squid-cache.org/pub/squid-2/STABLE/
   http://www.squid-cache.org/Versions/v2/2.5/
 
 or the mirrors (may take a while before all mirrors are updated).
 For a list of mirror sites see
 
   http://www.squid-cache.org/Mirrors/ftp-mirrors.html
   http://www.squid-cache.org/Mirrors/http-mirrors.html
 
 An individual patch for this issues can be found in our
 patch archive for version Squid-2.5.STABLE6:
 
   http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE6-SNMP_core_dump.patch
 
 If necessary, this short patch should also apply to any version
 of Squid released after March 1998.
 
 If you are using a prepackaged version of Squid then please
 refer to the package vendor for availability information on
 updated packages.
 
__________________________________________________________________
 
Determining if your version is vulnerable:
 
 This bug is present only when Squid has been compiled with SNMP
 support.  SNMP support must be enabled with the --enable-snmp
 ./configure option.
 
 Furthermore, Squid is vulnerable only if it is listening for SNMP
 queries on a UDP port.  You can check Squid's cache.log file for
 the following message:
 
    Accepting SNMP messages on port 3401, FD nn.
 
__________________________________________________________________
 
Workarounds:
 
 The best workaround is to disable Squid's SNMP port, at least
 temporarily.  Disable SNMP by setting snmp_port to zero:
 
    snmp_port 0
 
 Note that if you delete or comment out the 'snmp_port' directive,
 Squid uses the default value (3401).
 
 If your SNMP agent runs on the same host as Squid, use the loopback
 IP address and use a packet filter rule to block SNMP messages
 from outside hosts.  You can bind Squid's SNMP port to the loopback
 address with this directive:
 
    snmp_incoming_address 127.0.0.1
 
 Restart or reconfigure Squid after editing squid.conf.
 
__________________________________________________________________
 
Contact details for the Squid project:
 
 For installation / upgrade support: Your first point of contact
 should be your binary package vendor.
 
 If your install is built from the original Squid sources, then
 the squid-users@squid-cache.org mailing list is your primary
 support point. (see <http://www.squid-cache.org/mailing-lists.html>
 for subscription details).
 
 For bug reporting, particularly security related bugs the
 squid-bugs@squid-cache.org mailing list is the appropriate forum.
 It's a closed list (though anyone can post) and security related
 bug reports are treated in confidence until the impact has been
 established. For non security related bugs, the squid bugzilla
 database should be used <http://www.squid-cache.org/bugs/>.
 
__________________________________________________________________
 
Credits:
 
 The vulnerability was reported by iDEFENSE Labs (www.idefense.com).
 
 Henrik Nordstrom developed the patch for snmplib/asn1.c
 
__________________________________________________________________
 
Revision history:
 
 2004-10-05 00:00 GMT Disclosure of vulnerability by iDEFENSE
 2004-10-25 02:10 GMT Initial release of this document
__________________________________________________________________
END

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC