Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-237: Squid Web Proxy Cache Authentication Header Parsing Remote Denial of Service Vulnerability

[CVE-2009-2855]

September 23, 2009 15:00 GMT
PROBLEM: Squid is prone to a remote denial-of-service vulnerability because the proxy server fails to properly parse certain external authentication headers that contain comma delimiters.
PLATFORM: MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64, MandrakeSoft, Mandrake Linux Corporate Server 3.0, MandrakeSoft, Mandrake Linux Corporate Server 4.0, MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64, MandrakeSoft, Mandrake Multi Network Firewall 2.0, Squid-Cache, Squid 2.7.STABLE3
ABSTRACT: The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-237.shtml
  OTHER LINKS: Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=518182
Debian Bug Reports
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982
X-Force
http://xforce.iss.net/xforce/xfdb/52610

  CVE: CVE-2009-2855
IMPACT ASSESSMENT: This risk is medium. A remote user can the target service to enter an infinite loop and consume all available CPU resources. 
[***** Start CVE-2009-2855 *****]
Discussion:
Squid is vulnerable to a denial of service, caused by an error in the strListGetItem() function when parsing external authentication headers when the external_acl_type configuration option defines a delimiter other than a comma. A remote attacker could exploit this vulnerability via an authentication header containing a comma delimiting character to cause an infinite loop by using readily available networking tools.

Vulnerable:
* MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
* MandrakeSoft, Mandrake Linux Corporate Server 3.0
* MandrakeSoft, Mandrake Linux Corporate Server 4.0
* MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64
* MandrakeSoft, Mandrake Multi Network Firewall 2.0
* Squid-Cache, Squid 2.7.STABLE3

Solution:
Updates are available. Please see the references for more information.

MandrakeSoft Corporate Server 4.0

* Mandriva squid-2.6.STABLE1-4.6.20060mlcs4.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva squid-cachemgr-2.6.STABLE1-4.6.20060mlcs4.i586.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Multi Network Firewall 2.0

* Mandriva squid-2.5.STABLE9-1.10.C30mdk.i586.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Corporate Server 3.0 x86_64

* Mandriva squid-2.5.STABLE9-1.10.C30mdk.x86_64.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Corporate Server 3.0

* Mandriva squid-2.5.STABLE9-1.10.C30mdk.i586.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Corporate Server 4.0 x86_64

* Mandriva squid-2.6.STABLE1-4.6.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva squid-cachemgr-2.6.STABLE1-4.6.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/

[***** End CVE-2009-2855 *****]
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788