Bug 1264452 - squid: Incorrect message size checking in HTTP Proxy causes DoS
squid: Incorrect message size checking in HTTP Proxy causes DoS
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150918,repor...
: Security
Depends On: 1264455
Blocks: 1264449
  Show dependency treegraph
 
Reported: 2015-09-18 09:36 EDT by Adam Mariš
Modified: 2015-10-27 10:31 EDT (History)
6 users (show)

See Also:
Fixed In Version: squid 3.5.9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-27 10:31:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch (16.76 KB, patch)
2015-09-18 09:37 EDT, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2015-09-18 09:36:43 EDT
Vulnerability in SSL/TLS parser in Squid HTTP Proxy was found caused by incorrect message size checks and assumptions about the existence of TLS extensions in the SSL/TLS handshake message. This can lead to very high CPU consumption (up to and including 'infinite loop' behaviour). Vulnerable versions are 3.5.0.1 to 3.5.8 (inclusive), which are built with OpenSSL and configured for "SSL-Bump" decryption. This can be exploited remotely. Although there is one layer of authorization applied before this processing to check that the client is allowed to use the proxy, the check is considered generally weak.

CVE request:

http://seclists.org/oss-sec/2015/q3/577
Comment 1 Adam Mariš 2015-09-18 09:37:19 EDT
Created attachment 1074919 [details]
Upstream patch
Comment 2 Adam Mariš 2015-09-18 09:38:43 EDT
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1264455]
Comment 3 Adam Mariš 2015-09-21 08:31:15 EDT
Security Advisory:

http://www.squid-cache.org/Advisories/SQUID-2015_3.txt
Comment 4 Stefan Cornelius 2015-10-27 10:31:45 EDT
I believe this was introduced via:
http://bazaar.launchpad.net/~squid/squid/trunk/revision/14012

This code never made it into RHEL5, 6, or 7.

Statement:

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5, 6, and 7.

Note You need to log in before you can comment on or make changes to this bug.