__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2004:3 __________________________________________________________________ Advisory ID: SQUID-2004:3 Date: October 5, 2004 Summary: Remote denial of service in SNMP parser Affected versions: All versions up to and including 2.5.STABLE6 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2004_3.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0918 __________________________________________________________________ Problem Description: A bug exists in the ASN1 parser used in Squid's SNMP library. This code fails to fully validate certain fields in SNMP queries. A specially-crafted message may contain negative values, which Squid passes to the malloc() function. This may lead to a segmentation violation and cause Squid to restart. ------------------------------------------------------------------ Severity: The bug is significant because it forces squid to restart, thus disrupting active transactions. The buggy code is executed even before Squid makes any access control checks (i.e. snmp_access). __________________________________________________________________ Updated Packages: The Squid-2.5.STABLE7 release contains a fix for this problem. You can download the Squid-2.5.STABLE7 release from ftp://ftp.squid-cache.org/pub/archive/2.5/ http://www.squid-cache.org/Versions/v2/2.5/ or the mirrors (may take a while before all mirrors are updated). For a list of mirror sites see http://www.squid-cache.org/Download/ftp-mirrors.html http://www.squid-cache.org/Download/http-mirrors.html An individual patch for this issues can be found in our patch archive for version Squid-2.5.STABLE6: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE6-SNMP_core_dump.patch If necessary, this short patch should also apply to any version of Squid released after March 1998. If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: This bug is present only when Squid has been compiled with SNMP support. SNMP support must be enabled with the --enable-snmp ./configure option. Furthermore, Squid is vulnerable only if it is listening for SNMP queries on a UDP port. You can check Squid's cache.log file for the following message: Accepting SNMP messages on port 3401, FD nn. __________________________________________________________________ Workarounds: The best workaround is to disable Squid's SNMP port, at least temporarily. Disable SNMP by setting snmp_port to zero: snmp_port 0 Note that if you delete or comment out the 'snmp_port' directive, Squid uses the default value (3401). If your SNMP agent runs on the same host as Squid, use the loopback IP address and use a packet filter rule to block SNMP messages from outside hosts. You can bind Squid's SNMP port to the loopback address with this directive: snmp_incoming_address 127.0.0.1 Restart or reconfigure Squid after editing squid.conf. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support: Your first point of contact should be your binary package vendor. If your install is built from the original Squid sources, then the squid-users@squid-cache.org mailing list is your primary support point. (see for subscription details). For bug reporting, particularly security related bugs the squid-bugs@squid-cache.org mailing list is the appropriate forum. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. For non security related bugs, the squid bugzilla database should be used . __________________________________________________________________ Credits: The vulnerability was reported by iDEFENSE Labs (www.idefense.com). Henrik Nordstrom developed the patch for snmplib/asn1.c __________________________________________________________________ Revision history: 2004-10-05 00:00 GMT Disclosure of vulnerability by iDEFENSE 2004-10-25 02:10 GMT Initial release of this document 2010-09-16 07:05 GMT Reference link updates __________________________________________________________________ END