Due to an incorrect integer overflow protection Squid SSPI and
SMB authentication helpers are vulnerable to a Buffer Overflow
attack.
Severity:
This problem allows a remote client to perform a Denial of
Service attack when Squid is configured to use NTLM or Negotiate
authentication with one of the vulnerable helpers.
This problem allows a remote client to extract sensitive
information from machine memory when Squid is configured to use
NTLM or Negotiate authentication with one of the vulnerable
helpers. The scope of this information includes user credentials
in decrypted forms, and also arbitrary memory areas beyond Squid
and the helper itself.
This attack is limited to authentication helpers built using the
libntlmauth library shipped by Squid.
CVSS Score of 8.2
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:C/MC:X/MI:L/MA:H&version=3.1
Updated Packages:
This bug is fixed by Squid version 5.7.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:
http://www.squid-cache.org/Versions/v4/SQUID-2022_2.patch
Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2022_2.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
Run this command to view the configured authentication helpers:
(squid -k parse 2>&1) | grep "Processing: auth_param"
Your Squid may be vulnerable if the result contains any of the following:
ntlm_smb_lm_auth
ntlm_sspi_auth
ntlm_fake_auth
negotiate_sspi_auth
All Squid-2.5 up to and including 4.17 have vulnerable helpers.
All Squid-5.x up to and including 5.6 have vulnerable helpers.
Workaround:
Either,
Disable use of the vulnerable authentication scheme.
Or,
Replace the vulnerable helper with an alternative helper for the
same authentication scheme.
Or,
Replace the vulnerable helper binary with one built from an
updated or patched Squid release. The remainder of Squid does not
need updating to fix this.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by LWIC.
Fixed by Amos Jeffries of Treehouse Networks Ltd,
based on patch by LWIC.
Revision history:
2019-03-17 14:24:42 UTC Initial Report
2022-08-08 12:16:43 UTC Fix Released
2022-09-23 05:00:00 UTC Advisory Released
END
Due to an incorrect integer overflow protection Squid SSPI and
SMB authentication helpers are vulnerable to a Buffer Overflow
attack.
Severity:
This problem allows a remote client to perform a Denial of
Service attack when Squid is configured to use NTLM or Negotiate
authentication with one of the vulnerable helpers.
This problem allows a remote client to extract sensitive
information from machine memory when Squid is configured to use
NTLM or Negotiate authentication with one of the vulnerable
helpers. The scope of this information includes user credentials
in decrypted forms, and also arbitrary memory areas beyond Squid
and the helper itself.
This attack is limited to authentication helpers built using the
libntlmauth library shipped by Squid.
CVSS Score of 8.2
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:C/MC:X/MI:L/MA:H&version=3.1
Updated Packages:
This bug is fixed by Squid version 5.7.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:
http://www.squid-cache.org/Versions/v4/SQUID-2022_2.patch
Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2022_2.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
Run this command to view the configured authentication helpers:
(squid -k parse 2>&1) | grep "Processing: auth_param"
Your Squid may be vulnerable if the result contains any of the following:
ntlm_smb_lm_auth
ntlm_sspi_auth
ntlm_fake_auth
negotiate_sspi_auth
All Squid-2.5 up to and including 4.17 have vulnerable helpers.
All Squid-5.x up to and including 5.6 have vulnerable helpers.
Workaround:
Either,
Disable use of the vulnerable authentication scheme.
Or,
Replace the vulnerable helper with an alternative helper for the
same authentication scheme.
Or,
Replace the vulnerable helper binary with one built from an
updated or patched Squid release. The remainder of Squid does not
need updating to fix this.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by LWIC.
Fixed by Amos Jeffries of Treehouse Networks Ltd,
based on patch by LWIC.
Revision history:
2019-03-17 14:24:42 UTC Initial Report
2022-08-08 12:16:43 UTC Fix Released
2022-09-23 05:00:00 UTC Advisory Released
END