Bug 1645146 (CVE-2018-19131)

Summary: CVE-2018-19131 squid: Cross-Site Scripting when generating HTTPS response messages about TLS errors
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, code, jonathansteffan, luhliari, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Squid 4.4, Squid 3.5 Doc Type: If docs needed, set a value
Doc Text:
A Cross-Site Scripting vulnerability has been discovered in squid in the way X.509 certificates fields are displayed in some error pages. An attacker who can control the certificate of the origin content server may use this flaw to inject scripting code in the squid generated page, which is executed on the client's browser.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:20:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1645147, 1645148, 1651557    
Bug Blocks: 1645151    

Description Pedro Sampaio 2018-11-01 13:47:01 UTC
Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors.

Upstream advisory:

http://www.squid-cache.org/Advisories/SQUID-2018_4.txt

Upstream patch:

http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-f1657a9decc820f748fa3aff68168d3145258031.patch
http://www.squid-cache.org/Versions/v4/changesets/squid-4-828245b90206602014ce057c3db39fb80fcc4b08.patch

Comment 1 Pedro Sampaio 2018-11-01 13:47:54 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1645147]

Comment 4 Riccardo Schirone 2018-11-20 10:25:27 UTC
When Squid produces a ERR_SECURE_CONNECT_FAIL, the origin content server certificate's information are displayed as part of the error page without proper escaping. An attacker who can control the certificate used on the origin content server and that can produce a ERR_SECURE_CONNECT_FAIL error may be able to inject scripting code in the generated page, which will be executed in the client's browser.

Comment 5 Riccardo Schirone 2018-11-20 10:41:13 UTC
Squid on RHEL 6 does not escape the certificate's information properly, but it has no page that uses the "%D" format to print them.

Comment 7 Riccardo Schirone 2018-11-20 10:45:31 UTC
External References:

http://www.squid-cache.org/Advisories/SQUID-2018_4.txt

Comment 8 Riccardo Schirone 2018-11-20 10:45:39 UTC
Mitigation:

Remove %D error page macro from ERR_SECURE_CONNECT_FAIL pages found under /usr/share/squid/errors/ and any custom error pages.