Bug 1134209 (CVE-2014-3609)

Summary: CVE-2014-3609 squid: assertion failure in Range header processing (SQUID-2014:2)
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jrusnack, psimerda, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 3.4.7, squid 3.3.13 Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-04 08:01:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1134658, 1134933, 1134934, 1134936, 1134937, 1134976, 1134977    
Bug Blocks: 1134214    

Description Murray McAllister 2014-08-27 06:47:49 UTC 
A denial of service flaw was found in Squid's Range header processing. An attacker could send crafted requests that would cause Squid to crash with an assertion.

A patch is available from the following:

http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-13555.patch

For a workaround, upstream says to add the following to squid.conf above any "http_access allow" lines:

 acl validRange req_header Range \
  ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$

 acl validRange req_header Request-Range \
  ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$

 http_access deny !validRange

External References:

http://www.squid-cache.org/Advisories/SQUID-2014_2.txt

Acknowledgements:

Red Hat would like to thank the Squid project for reporting this issue. Upstream acknowledges Matthew Daley as the original reporter.
Comment 2 Murray McAllister 2014-08-28 04:02:11 UTC 
This issue is public now:

http://www.squid-cache.org/Advisories/
Comment 3 Murray McAllister 2014-08-28 04:04:39 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1134658]
Comment 4 Tomas Hoger 2014-08-28 09:35:15 UTC 
Upstream commit:
http://bazaar.launchpad.net/~squid/squid/trunk/revision/13555
Comment 5 Tomas Hoger 2014-08-28 12:38:04 UTC 
This issue causes squid to exit unexpectedly with an assertion failure after processing the malformed Range HTTP header.  Terminated child process is re-spawned shortly by the master process, causing temporary service unavailability.  If attacker is able to trigger these crashes frequently, they can cause squid to exit after multiple repeated restarts, causing a full service DoS.

In addition to 3.x versions still supported upstream, this also affects older 2.x versions, such as the version shipped in Red Hat Enterprise Linux 5.  The workaround from the upstream advisory (noted in comment 0) can also be used with the squid version shipped with Red Hat Enterprise Linux 5 to mitigate this issue.
Comment 11 Martin Prpič 2014-09-03 08:27:49 UTC 
IssueDescription:

A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.
Comment 12 errata-xmlrpc 2014-09-03 17:43:21 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:1148 https://rhn.redhat.com/errata/RHSA-2014-1148.html
Comment 13 errata-xmlrpc 2014-09-03 18:45:40 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1147 https://rhn.redhat.com/errata/RHSA-2014-1147.html
Comment 14 Fedora Update System 2014-09-05 22:21:15 UTC 
squid-3.3.13-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2014-09-10 13:26:11 UTC 
squid-3.3.13-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2014-09-23 04:45:38 UTC 
squid-3.4.7-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.