SecurityTracker.com Archives - Squid Buffer Overflow in WCCP recvfrom() Lets Remote Users Deny Service

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Squid

Vendors: Squid-cache.org

Squid Buffer Overflow in WCCP recvfrom() Lets Remote Users Deny Service

SecurityTracker Alert ID: 1013045

SecurityTracker URL: http://securitytracker.com/id?1013045

CVE Reference: CAN-2005-0211 (Links to External Site)

OSVDB Reference: 13319 (Links to External Site)

Updated: Feb 3 2005

Original Entry Date: Jan 31 2005

Impact: Denial of service via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 2.5.STABLE7 and prior versions

Description: A vulnerability was reported in Squid in the WCCP recvfrom() call. A remote user can cause Squid to crash.

The vendor reported that a remote user can send a specially crafted and larger than normal WCCP message to the target server to trigger a buffer overflow in recvfrom() and cause Squid to crash.

The system is only vulnerable if configured to send WCCP messages to and receive WCCP messages from a router.

The vendor credits the FSC Vulnerability Research Team with reporting this flaw.

Impact: A remote user can cause the target Squid server to crash.

Solution: The vendor has issued a patch for version Squid-2.5.STABLE7:

http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patch

Vendor URL: www.squid-cache.org/Advisories/SQUID-2005_3.txt (Links to External Site)

Cause: Boundary error

Underlying OS: Linux (Any), UNIX (Any)

Message History: None.

Source Message Contents

Date: Mon, 31 Jan 2005 02:53:20 -0500
Subject: http://www.squid-cache.org/Advisories/SQUID-2005_3.txt

 
 
 
__________________________________________________________________
 
      Squid Proxy Cache Security Update Advisory SQUID-2005:3
__________________________________________________________________
 
Advisory ID:            SQUID-2005:3
Date:                   January 28, 2005
Summary:                Buffer overflow in WCCP recvfrom() call
Affected versions:      All versions up to and including 2.5.STABLE7
__________________________________________________________________
 
     http://www.squid-cache.org/Advisories/SQUID-2005_3.txt
__________________________________________________________________
 
Problem Description:
 
 The WCCP recvfrom() call accepts more data than will fit in
 the allocated buffer.  An attacker may send a larger-than-normal
 WCCP message to Squid and overflow this buffer.
__________________________________________________________________
 
Severity:
 
 The bug is important because it allows remote attackers to crash
 Squid, causing a disription in service.  However, the bug is
 exploitable only if you have configured Squid to send WCCP messages
 to, and expect WCCP replies from, a router.
 
 Sites that do not use WCCP are not vulnerable.
 
__________________________________________________________________
 
Updated Packages:
 
 An individual patch for this issues can be found in our
 patch archive for version Squid-2.5.STABLE7:
 
   http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patch
 
 If necessary, this short patch should also apply to previous
 versions of Squid.
 
 If you are using a prepackaged version of Squid then please
 refer to the package vendor for availability information on
 updated packages.
 
__________________________________________________________________
 
Determining if your version is vulnerable:
 
 Your installation is vulnerable if you have configured Squid to
 send WCCP messages to a router, and thus expect replies from a
 router.  Look for the 'wccp_router' dirctive in your squid.conf
 file.  Also, look for this line in cache.log:
 
  Accepting WCCP messages on port 2048, FD 15
 
__________________________________________________________________
 
Workarounds:
 
 If WCCP is not essential to your operation, disable it
 by commenting out the 'wccp_router' directive in
 squid.conf.
 
 You may also compile Squid without any WCCP code at all
 by giving the --disable-wccp option to the ./configure
 script.
 
__________________________________________________________________
 
Contact details for the Squid project:
 
 For installation / upgrade support: Your first point of contact
 should be your binary package vendor.
 
 If your install is built from the original Squid sources, then
 the squid-users@squid-cache.org mailing list is your primary
 support point. (see <http://www.squid-cache.org/mailing-lists.html>
 for subscription details).
 
 For bug reporting, particularly security related bugs the
 squid-bugs@squid-cache.org mailing list is the appropriate forum.
 It's a closed list (though anyone can post) and security related
 bug reports are treated in confidence until the impact has been
 established. For non security related bugs, the squid bugzilla
 database should be used <http://www.squid-cache.org/bugs/>.
 
__________________________________________________________________
 
Credits:
 
 The vulnerability was reported by FSC Vulnerability Research Team.
 
__________________________________________________________________
 
Revision history:
 
 2005-01-28 23:20 GMT Initial release of this document
__________________________________________________________________
END

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2005, SecurityGlobal.net LLC