Bug 556389 (CVE-2010-0308, SQUID-2010:1)

Summary: CVE-2010-0308 squid: temporary DoS (assertion failure) triggered by truncated DNS packet (SQUID-2010:1)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, henrik, jlieskov, jonathansteffan, jskala, kreilly, ma, rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-27 17:38:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 561743, 561811, 561828    
Bug Blocks: 580448    

Description Tomas Hoger 2010-01-18 08:30:15 UTC 
Fabian Yamaguchi reported on 26C3 a flaw in squid's DNS client code, that can lead to a temporary denial of service condition.  A truncated ("header-only") DNS reply packet can cause squid child process to exit due to an assertion failure in rfc1035NameUnpack (lib/rfc1035.c):

  http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
  (see slide 70)

Parent squid process will spawn a new child process, so such abort will only result in temporary service unavailability.

Upstream patches, which should be included in the next releases:
  http://west.squid-cache.org/Versions/v3/HEAD/changesets/squid-3-10235.patch
  http://west.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch
Comment 1 Tomas Hoger 2010-01-18 08:42:30 UTC 
This issue has a rather limited impact:

- temporary DoS, caused by safe abort(), rather than some memory-corruption crash

- squid does not send DNS requests to arbitrary DNS servers on the Internet, rather uses configured (trusted) resolvers, either read from resolv.conf or specified using dns_nameservers directive

- DNS packets from unknown resolvers are ignored by default (see ignore_unknown_nameservers)

- DNS port selected randomly at (child process) start-up

Therefore, an attacker needs to be able to spoof DNS packets with the source IP address of one of the configured resolvers (unless squid is configured with 'ignore_unknown_nameservers off'), needs to be able to determine or guess squid's outgoing DNS port (different port is likely to be used by re-spawned child) and the malicious packet(s) must not get blocked by any firewall.  These conditions should limit the attack to a local network.
Comment 2 Tomas Hoger 2010-01-18 08:53:48 UTC 
Few additional clarifications:

- port guessing can be avoided by sending packets to all possible ports

- host firewall is easily bypassed when spoofing IP of the configured resolver, which is required to bypass 'ignore_unknown_nameservers on' default anyway


Possible mitigation:

- using local (127.0.0.1) caching nameserver and blocking all packets with loopback source IP address received on non-loopback interfaces
Comment 4 Jan Lieskovsky 2010-02-01 11:36:33 UTC 
Upstream SQUID-2010:1 advisory:
  http://www.squid-cache.org/Advisories/SQUID-2010_1.txt

Final patches:

Squid 2.x:
 http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch

Squid 3.0:
 http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9151.patch

Squid 3.1:
 http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-9853.patch

CVE Request:
 http://www.openwall.com/lists/oss-security/2010/02/01/3
Comment 5 Jan Lieskovsky 2010-02-01 11:37:39 UTC 
This issue affects the versions of the squid package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of the squid package, as shipped
with Fedora release of 11 and 12.
Comment 6 Jan Lieskovsky 2010-02-02 09:07:42 UTC 
This is CVE-2010-0308.
Comment 8 Fedora Update System 2010-02-04 09:07:04 UTC 
squid-3.0.STABLE23-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/squid-3.0.STABLE23-1.fc11
Comment 9 Fedora Update System 2010-02-04 09:10:55 UTC 
squid-3.1.0.16-3.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/squid-3.1.0.16-3.fc12
Comment 10 Henrik Nordström 2010-02-04 09:13:10 UTC 
The 3.0 patch has been updated since original release. Correct 3.0 patch is

   http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch

included in 3.0.STABLE23.
Comment 13 Martin Jürgens 2010-02-04 22:15:12 UTC 
what about RHEL?
Comment 14 Tomas Hoger 2010-02-05 07:40:27 UTC 
(In reply to comment #13)
> what about RHEL?    

https://www.redhat.com/security/data/cve/CVE-2010-0308.html

Issue will be fixed in the future squid updates.  Due to the very limited impact of this issue, immediate update is not planned.
Comment 15 Henrik Nordström 2010-02-06 23:53:41 UTC 
F-12 update respun and tracked in Bug #561811
Comment 16 errata-xmlrpc 2010-03-30 08:18:23 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0221 https://rhn.redhat.com/errata/RHSA-2010-0221.html