Bug 1139715 (CVE-2014-7141)

Summary: CVE-2014-7141 squid: pinger OOB array index flaw in handling of ICMP replies (SQUID-2014:4)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, henrik, jonathansteffan, mluscon, psimerda, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-10 19:14:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1139721    
Bug Blocks: 1139719    

Description Vasyl Kaigorodov 2014-09-09 13:49:20 UTC 
It was discovered [1] that pinger code that checks for nodes being alive doesn't
properly validate ICMP and ICMPv6 replies, in particular icmp6 types which are used to index into a string array. This could cause crashes when the index is OOB.

CVE reuqested at [1] too, and a patch is available at [2].

It looks like you can only DoS the pinger sub-system, not the whole squid though.

[1]: http://seclists.org/oss-sec/2014/q3/539
[2]: https://bugzilla.novell.com/show_bug.cgi?id=891268
Comment 1 Vasyl Kaigorodov 2014-09-09 13:52:00 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1139721]
Comment 2 Tomas Hoger 2014-09-10 19:14:24 UTC 
This issue affects handling of ICMPv6 replies.  The code uses an ICMP type value from the received packet, ands the value with 0x7f (i.e. limiting the value to 127) and uses the result as index to icmp6HighPktStr[] or icmp6LowPktStr[] array when generating debug message.

http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp6.cc#L293

Those are static .bss arrays with 33 or 10 times respectively:

http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp6.cc#L51

leading to an out-of-bounds read.  Maximum overread is 127-10 * sizeof(char*).  This may lead to crash if reaches unmapped memory.

Affected code was first introduced in Squid 3, hence Squid 2 versions (shipped with Red Hat Enterprise Linux 5 and earlier) are not affected.

This problem exists in the source of the squid packages shipped in Red Hat Enterprise Linux 6 and 7, and current Fedora.  However, it is not built.  It is only built when building program called "pinger".  This program is not built or included in squid packages in Red Hat Enterprise Linux or Fedora.  Also, as the crash can only affect external program, not the main Squid process, it is unclear if it could have any security impact at all.

Statement:

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not provide the vulnerable program "pinger".
Comment 3 Tomas Hoger 2014-09-18 20:35:20 UTC 
(In reply to Tomas Hoger from comment #2)
> This issue affects handling of ICMPv6 replies.

There is actually similar bug in the ICMP(v4) handling code:

http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp4.cc#L248
http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp4.cc#L44

icmpPktStr[] is an array with 18 items, while icmp_type used as index to this array is an 8-bit value that is taken form the received packet without further validation, leading to overread of up to (256-18) * sizeof(char*).

Unlike the issue in the ICMPv6 code, ICMPv4 issue exists in Squid 2.x versions.  However, as noted above, it is only used by the pinger program not included in squid packages in Red Hat Enterprise Linux or Fedora.
Comment 4 Tomas Hoger 2014-09-22 13:03:21 UTC 
Upstream commit:

http://bazaar.launchpad.net/~squid/squid/trunk/revision/13583
Comment 5 Vasyl Kaigorodov 2014-09-23 08:52:57 UTC 
2 CVEs were assigned to this issue at http://seclists.org/oss-sec/2014/q3/626 :

> > 1. "used to index into a string array" possibly corresponds to
> > http://cwe.mitre.org/data/definitions/129.html [Open URL] for the modified
> > default case after case 136, and approximately two other places in the
> > patch
>
> Use CVE-2014-7141.
>
> > 3. added "if (preply.psize) < 0" code apparently corresponds to a more
> > general issue with missing data validation
>
> Use CVE-2014-7142.
Comment 6 Murray McAllister 2014-10-01 06:18:11 UTC 
External References:

http://www.squid-cache.org/Advisories/SQUID-2014_4.txt
Comment 7 Tomas Hoger 2014-10-01 08:23:27 UTC 
(In reply to Vasyl Kaigorodov from comment #5)
> > > 3. added "if (preply.psize) < 0" code apparently corresponds to a more
> > > general issue with missing data validation
> >
> > Use CVE-2014-7142.

The CVE-2014-7142 does not belong here, this bug only covers CVE-2014-7141.
Comment 8 Vincent Danen 2014-10-02 13:31:15 UTC 
See bug #1148832 for information on CVE-2014-7142.