Bug 1240741 (CVE-2015-5400)

Summary: CVE-2015-5400 squid: information disclosure due to incorrect handling of peer responses in tunnel.cc (SQUID-2015:2)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, henrik, jonathansteffan, luhliari, psimerda, thozza
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Squid 3.5.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-19 11:41:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1240744, 1253284    
Bug Blocks: 1240743    

Description Vasyl Kaigorodov 2015-07-07 15:58:22 UTC 
Quoting the original report at http://seclists.org/oss-sec/2015/q3/37:
"""
Due to incorrect handling of peer responses in a hierarchy of 2 or
more proxies remote clients (or scripts run on a client) are able to
gain unrestricted access through a gateway proxy to its backend proxy.

If the two proxies have differing levels of security this could lead
to authentication bypass or unprivileged access to supposedly secure
resources.

All Squid up to and including 3.5.5 are vulnerable.
"""

Upstream patches:
Squid 3.1:
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch
Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch
Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch


External References:

http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
Comment 1 Vasyl Kaigorodov 2015-07-07 16:00:35 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1240744]
Comment 4 Stefan Cornelius 2015-07-31 10:34:49 UTC 
Quick check to see if your system is affected:
If squid.conf (/etc/squid/squid.conf) does *not* contain "cache_peer" you are *not* affected by this issue.

The default RHEL squid.conf files are not affected.

Squid upstream lists some workarounds in their advisory [1]. However, please note that the currently described workarounds do not appear to offer a complete protection (certain settings like "never_direct allow all" may override the workaround, leaving the system in a vulnerable state).

[1] http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
Comment 9 Fedora Update System 2016-05-06 19:54:28 UTC 
libecap-1.0.0-1.fc22, squid-3.5.10-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.