Bug 556389 (CVE-2010-0308, SQUID-2010:1)
Summary: | CVE-2010-0308 squid: temporary DoS (assertion failure) triggered by truncated DNS packet (SQUID-2010:1) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bressers, henrik, jlieskov, jonathansteffan, jskala, kreilly, ma, rvokal |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-07-27 17:38:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 561743, 561811, 561828 | ||
Bug Blocks: | 580448 |
Description
Tomas Hoger
2010-01-18 08:30:15 UTC
This issue has a rather limited impact: - temporary DoS, caused by safe abort(), rather than some memory-corruption crash - squid does not send DNS requests to arbitrary DNS servers on the Internet, rather uses configured (trusted) resolvers, either read from resolv.conf or specified using dns_nameservers directive - DNS packets from unknown resolvers are ignored by default (see ignore_unknown_nameservers) - DNS port selected randomly at (child process) start-up Therefore, an attacker needs to be able to spoof DNS packets with the source IP address of one of the configured resolvers (unless squid is configured with 'ignore_unknown_nameservers off'), needs to be able to determine or guess squid's outgoing DNS port (different port is likely to be used by re-spawned child) and the malicious packet(s) must not get blocked by any firewall. These conditions should limit the attack to a local network. Few additional clarifications: - port guessing can be avoided by sending packets to all possible ports - host firewall is easily bypassed when spoofing IP of the configured resolver, which is required to bypass 'ignore_unknown_nameservers on' default anyway Possible mitigation: - using local (127.0.0.1) caching nameserver and blocking all packets with loopback source IP address received on non-loopback interfaces Upstream SQUID-2010:1 advisory: http://www.squid-cache.org/Advisories/SQUID-2010_1.txt Final patches: Squid 2.x: http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9151.patch Squid 3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-9853.patch CVE Request: http://www.openwall.com/lists/oss-security/2010/02/01/3 This issue affects the versions of the squid package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue affects the versions of the squid package, as shipped with Fedora release of 11 and 12. This is CVE-2010-0308. squid-3.0.STABLE23-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/squid-3.0.STABLE23-1.fc11 squid-3.1.0.16-3.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/squid-3.1.0.16-3.fc12 The 3.0 patch has been updated since original release. Correct 3.0 patch is http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch included in 3.0.STABLE23. what about RHEL? (In reply to comment #13) > what about RHEL? https://www.redhat.com/security/data/cve/CVE-2010-0308.html Issue will be fixed in the future squid updates. Due to the very limited impact of this issue, immediate update is not planned. F-12 update respun and tracked in Bug #561811 This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0221 https://rhn.redhat.com/errata/RHSA-2010-0221.html |