Bug 1240741 (CVE-2015-5400) - CVE-2015-5400 squid: information disclosure due to incorrect handling of peer responses in tunnel.cc (SQUID-2015:2)
Summary: CVE-2015-5400 squid: information disclosure due to incorrect handling of peer...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-5400
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1240744 1253284
Blocks: 1240743
TreeView+ depends on / blocked
 
Reported: 2015-07-07 15:58 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:09 UTC (History)
6 users (show)

Fixed In Version: Squid 3.5.6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-19 11:41:04 UTC
Embargoed:


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-07-07 15:58:22 UTC
Quoting the original report at http://seclists.org/oss-sec/2015/q3/37:
"""
Due to incorrect handling of peer responses in a hierarchy of 2 or
more proxies remote clients (or scripts run on a client) are able to
gain unrestricted access through a gateway proxy to its backend proxy.

If the two proxies have differing levels of security this could lead
to authentication bypass or unprivileged access to supposedly secure
resources.

All Squid up to and including 3.5.5 are vulnerable.
"""

Upstream patches:
Squid 3.1:
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch
Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch
Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch


External References:

http://www.squid-cache.org/Advisories/SQUID-2015_2.txt

Comment 1 Vasyl Kaigorodov 2015-07-07 16:00:35 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1240744]

Comment 4 Stefan Cornelius 2015-07-31 10:34:49 UTC
Quick check to see if your system is affected:
If squid.conf (/etc/squid/squid.conf) does *not* contain "cache_peer" you are *not* affected by this issue.

The default RHEL squid.conf files are not affected.

Squid upstream lists some workarounds in their advisory [1]. However, please note that the currently described workarounds do not appear to offer a complete protection (certain settings like "never_direct allow all" may override the workaround, leaving the system in a vulnerable state).

[1] http://www.squid-cache.org/Advisories/SQUID-2015_2.txt

Comment 9 Fedora Update System 2016-05-06 19:54:28 UTC
libecap-1.0.0-1.fc22, squid-3.5.10-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.