SB2021051025 - Multiple vulnerabilities in Squid

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2021-28651)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when resolving "urn:" resource identifiers. A remote attacker can trick a user behind the proxy server to click on a specially crafted "urn:" link that leads to a server under attacker's control and force Squid to consume arbitrarily large amounts of memory on the server. 

2) Input validation error (CVE-ID: CVE-2021-28662)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing HTTP responses. A remote attacker who controls a malicious web page can send specially crafted HTTP response and perform a denial of service attack against the proxy server. The issue trigger is a header which can be expected to exist in HTTP traffic without any malicious intent by the server.

3) Memory leak (CVE-ID: CVE-2021-28652)

The vulnerability allows a remote client to perform DoS attack on the target system.

The vulnerability exists due memory leak due to incorrect parser validation in Cache Manager API. A remote trusted client with Cache Manager API access privilege can perform denial of service attack.

4) Input validation error (CVE-ID: CVE-2021-31806)

The vulnerability allows a remote client to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when performing HTTP Range requests. A remote proxy client can send specially crafted HTTP request via the proxy server  and perform a denial of service (DoS) attack.

5) Integer overflow (CVE-ID: CVE-2021-31808)

The vulnerability allows a remote client to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when delivering responses from HTTP Range requests. A remote proxy client can send specially crafted HTTP request via the proxy server, force the server to initiate a necessary response, trigger integer overflow in Squid and perform a denial of service (DoS) attack.

6) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote client to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when delivering HTTP Response messages. A remote client can visit a specially crafted webpage and perform a denial of service (DoS) attack.

7) Resource management error (CVE-ID: CVE-2021-31807)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of memory within the application when processing HTTP Range header. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4/
• https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h/
• https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447/
• https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf/
• https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f/
• https://security.gentoo.org/glsa/202105-14
• https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf