Bug 1770356 (CVE-2019-12526)

Summary: CVE-2019-12526 squid: Heap overflow issue in URN processing
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, code, jonathansteffan, luhliari, momran, uwe.knop, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 4.9 Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow was found in the way squid processed certain Uniform Resource Names (URNs). A remote attacker could use this flaw to cause Squid to crash or execute arbitrary code with the permissions of the user running Squid.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:22:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1770357, 1771263, 1771264    
Bug Blocks: 1770358    

Description Pedro Sampaio 2019-11-08 19:50:22 UTC 
Due to incorrect buffer management Squid is vulnerable to a heap overflow and possible remote code execution attack when processing URN.

References:

http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
Comment 1 Pedro Sampaio 2019-11-08 19:50:36 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1770357]
Comment 2 Huzaifa S. Sidhpurwala 2019-11-12 04:53:18 UTC 
External References:

http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
Comment 3 Huzaifa S. Sidhpurwala 2019-11-12 04:53:21 UTC 
Mitigation:

The following mitigation is suggested by upstream:

Deny urn: protocol URI being proxied to all clients:
~~~
    acl URN proto URN
    http_access deny URN
~~~
Comment 4 Huzaifa S. Sidhpurwala 2019-11-12 05:05:49 UTC 
Analysis:

This is a heap-based buffer overflow, which can be triggered by a malicious client. The client can overwrite substantial amount of heap potentially causing squid to crash or even execute arbitrary code with the permissions of the user running squid (normally squid user which is non-privileged). Also on Red Hat Products, squid is confined with selinux which should reduce the possibilities of code execution.

Because of the above mentioned difficulties in exploitation, Red Hat Product Security has classified this flaw as having Moderate impact.
Comment 5 Huzaifa S. Sidhpurwala 2019-11-12 05:05:52 UTC 
Statement:

This is a heap-based buffer overflow, which can be triggered by a malicious client. The client can overwrite substantial amount of heap potentially causing squid to crash or even execute arbitrary code with the permissions of the user running squid (normally squid user which is non-privileged). Also on Red Hat Products, squid is confined with selinux which should reduce the possibilities of code execution.

Because of the above mentioned difficulties in exploitation, Red Hat Product Security has classified this flaw as having Moderate impact.
Comment 7 Huzaifa S. Sidhpurwala 2019-11-12 05:15:10 UTC 
Upstream patch: http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch
Comment 8 Product Security DevOps Team 2020-11-04 02:22:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12526
Comment 9 errata-xmlrpc 2020-11-04 03:31:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743