SB2020110501 - Red Hat Enterprise Linux 8 update for the squid:4 module
Published: November 5, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 18 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2019-12520)
The vulnerability allows a remote attacker to perform cache poisoning.
The vulnerability exists due to insufficient validation of user-supplied input within ESI. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker's HTML instead of the real HTML. On Squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as ESI.
2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2019-18678)
The vulnerability allows a remote attacker to perform HTTP request smuggling attack.
The vulnerability exists due to insufficient validation of HTTP request headers in Squid. A remote attacker can initiate a specially crafted HTTP request that will cause the software to split HTTP request and display to the end user content, controlled by the attacker at arbitrary URL.
3) Resource exhaustion (CVE-ID: CVE-2020-24606)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly EOF in peerDigestHandleReply() function in peer_digest.cc when processing Cache Digest response messages from a trusted peer. A remote attacker who controls a trusted peer can consume all available CPU cycles and perform a denial of service (DoS) attack.
This attack is limited to Squid using cache_peer with cache digests feature.
4) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2020-15049)
The vulnerability allows a remote attacker to perform cache poisoning attack.
The vulnerability exists in the way Squid processes client's requests. A remote client can send specially crafted data in the request to perform request smuggling and poison the HTTP cache contents with crafted HTTP(S) request messages.
Successful exploitation of the vulnerability requires an upstream server to participate in the smuggling and generate the poison response sequence.
5) Exposed dangerous method or function (CVE-ID: CVE-2020-14058)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to usage of potentially dangerous function when processing TLS certificates. A remote client can perform a denial of service attack when opening TLS connections.
6) Buffer overflow (CVE-ID: CVE-2020-8450)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTTP requests, when Squid is acting as a reverse proxy. A remote attacker can send a specially crafted HTTP request to the affected proxy server, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Input validation error (CVE-ID: CVE-2020-8449)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP requests. A remote attacker can send a specially crafted HTTP request, bypass configured security filters and gain access to certain server resources.
8) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2019-18860)
The vulnerability allows a remote attacker to perform cache poisoning attack.
The vulnerability exists due to improper input validation of HTML code within the hostname parameter in cachemgr.cgi. A remote attacker can send a specially crated HTTP request and poison the cache.
9) Information disclosure (CVE-ID: CVE-2019-18679)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect data management when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer which sits within heap memory allocation. This allows a remote attacker to gain knowledge of memory allocations and bypass ASLR protection and help in exploitation of other vulnerabilities.
10) Cross-site request forgery (CVE-ID: CVE-2019-18677)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin, when Squid is configured with the append_domain option. A remote attacker can trick the victim to visit a specially crafted web page and redirect victim's traffic to a third-party domain.
11) Out-of-bounds write (CVE-ID: CVE-2019-12521)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing untrusted input. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it's off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can't affect adjacent memory blocks, and thus just leads to a crash while processing.
12) Input validation error (CVE-ID: CVE-2019-18676)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing URIs. A remote attacker can create a specially crafted link, trick the victim into visiting it, trigger buffer overflow and crash the Squid process.
13) Out-of-bounds read (CVE-ID: CVE-2019-12854)
The vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to a boundary condition when terminating strings in cachemgr.cgi. A remote attacker can a specially crafted request to the affected proxy server, trigger out-of-bounds read error and crash the CGI process, denying access to all users on systems with memory access protections.
14) Out-of-bounds read (CVE-ID: CVE-2019-12529)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when parsing username in the Proxy-Authorization header during HTTP Basic authentication. A remote attacker can send specially crafted request to the Squid proxy server and retrieve parts of memory contents, if the Squid maintainer had configured the display of usernames on error pages.
15) Out-of-bounds read (CVE-ID: CVE-2019-12528)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when translating FTP server listing into HTTP responses. A remote attacker can trick the victim into vising a specially crafted FTP server, trigger out-of-bounds read and gain access to memory contents of the heap.
16) Heap-based buffer overflow (CVE-ID: CVE-2019-12526)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing URN requests. A remote attacker can send specially crafted request to the Squid client, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Missing Authentication for Critical Function (CVE-ID: CVE-2019-12524)
The vulnerability allows a remote attacker to bypass certain security restrictions.
When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.
18) Input validation error (CVE-ID: CVE-2019-12523)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when processing URIs. A remote authenticated attacker can add certain characters to the URI, bypass implemented security restrictions and access restricted websites.
Remediation
Install update from vendor's website.