Bug 1199518 (CVE-2015-0881)

Summary: CVE-2015-0881 squid: CRLF injection flaw permitting HTTP response splitting attacks
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: henrik, jonathansteffan, mluscon, psimerda, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 3.1.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-06 14:44:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Prpič 2015-03-06 14:43:37 UTC 
A CRLF injection flaw was found in Squid that could allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a specially crafted header in a response.

Note that the initial report of this issue was submitted to upstream in 2009. Only Squid 1.x, 2.x, and 3.0 releases are vulnerable.

Additional information:

https://jvn.jp/en/jp/JVN64455813/index.html

Upstream Patch:

http://www.squid-cache.org/Versions/v3/3.1/changesets/b9619.patch
Comment 1 Martin Prpič 2015-03-06 14:44:04 UTC 
Statement:

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Enterprise Linux 6 ships version 3.1.10 and Red Hat Enterprise Linux 7 ships version 3.3.8 of squide, both of which include the fix for this issue.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 2 Martin Prpič 2015-04-03 10:34:07 UTC 
The root cause of this issue is that Squid read more than Content-Length bytes from a request and sent back everything that was received, even beyond what was specified in the Content-Length header. For example, a redirect request with a Content-Length header set to "0" could include an HTML body that would not be parsed, and would be directly sent in the response. This could be used by an attacker to split the response and include arbitrary HTML in the second response, poison the cache with this response, and potentially conduct other attacks such as CSRF or XSS.

The flaw was fixed by truncating response bodies to what is specified in the Content-Length header. This assures that requests that specify a correct content length cannot be used to carry other arbitrary content that may not be parsed. The code introduced a truncateVirginBody() function that handles this.

On RHEL 5, which includes Squide version 2.6, this function is missing and responses are not truncated. Thus, RHEL 5 is affected by this flaw. There is currently no known workaround for this issues besides patching Squid with the patch linked to in comment #0.

RHEL 6.0 shipped with Squid version 3.1.4, in which this flaw was already fixed and the code contains the truncateVirginBody() function that prevents the exploitation of this issue. Similarly, RHEL 7.0 was shipped with 3.3.8 in which this flaw has already been fixed as well.