SB2020051116 - Debian update for squid

Description

This security bulletin contains information about 14 secuirty vulnerabilities.

1) Out-of-bounds write (CVE-ID: CVE-2019-12519)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when handling the tag esi:when within ESIExpression::Evaluate. A remote attacker can pass specially crafted data to the application, trigger out-of-bounds write and execute arbitrary code on the target system.

2) Input validation error (CVE-ID: CVE-2019-12520)

The vulnerability allows a remote attacker to perform cache poisoning.

The vulnerability exists due to insufficient validation of user-supplied input within ESI. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker's HTML instead of the real HTML. On Squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as ESI.

3) Out-of-bounds write (CVE-ID: CVE-2019-12521)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it's off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can't affect adjacent memory blocks, and thus just leads to a crash while processing.

4) Input validation error (CVE-ID: CVE-2019-12523)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when processing URIs. A remote authenticated attacker can add certain characters to the URI, bypass implemented security restrictions and access restricted websites.

5) Missing Authentication for Critical Function (CVE-ID: CVE-2019-12524)

The vulnerability allows a remote attacker to bypass certain security restrictions.

When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.

6) Heap-based buffer overflow (CVE-ID: CVE-2019-12526)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing URN requests. A remote attacker can send specially crafted request to the Squid client, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

7) Out-of-bounds read (CVE-ID: CVE-2019-12528)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when translating FTP server listing into HTTP responses. A remote attacker can trick the victim into vising a specially crafted FTP server, trigger out-of-bounds read and gain access to memory contents of the heap.

8) Input validation error (CVE-ID: CVE-2019-18676)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing URIs. A remote attacker can create a specially crafted link, trick the victim into visiting it, trigger buffer overflow and crash the Squid process.

9) Cross-site request forgery (CVE-ID: CVE-2019-18677)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin, when Squid is configured with the append_domain option. A remote attacker can trick the victim to visit a specially crafted web page and redirect victim's traffic to a third-party domain.

10) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2019-18678)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to insufficient validation of HTTP request headers in Squid. A remote attacker can initiate a specially crafted HTTP request that will cause the software to split HTTP request and display to the end user content, controlled by the attacker at arbitrary URL.

11) Information disclosure (CVE-ID: CVE-2019-18679)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to incorrect data management when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer which sits within heap memory allocation. This allows a remote attacker to gain knowledge of memory allocations and bypass ASLR protection and help in exploitation of other vulnerabilities.

12) Input validation error (CVE-ID: CVE-2020-8449)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP requests. A remote attacker can send a specially crafted HTTP request, bypass configured security filters and gain access to certain server resources.

13) Buffer overflow (CVE-ID: CVE-2020-8450)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTTP requests, when Squid is acting as a reverse proxy. A remote attacker can send a specially crafted HTTP request to the affected proxy server, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

14) Integer overflow (CVE-ID: CVE-2020-11945)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when processing HTTP Digest Authentication tokens, if memory pooling is disabled. A remote attacker can pass a specially crafted authentication nonce and execute arbitrary code on the server through the free'd nonce credentials.

In case memory pooling is enabled, a remote attacker can replay a sniffed Digest Authentication nonce to gain access  to resources that are otherwise forbidden.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://www.debian.org/security/2020/dsa-4682