Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 518182 (CVE-2009-2855) - CVE-2009-2855 squid: DoS (100% CPU use) while processing certain external ACL helper HTTP headers
Summary: CVE-2009-2855 squid: DoS (100% CPU use) while processing certain external ACL...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-2855
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.squid-cache.org/bugs/show_...
Whiteboard:
: 509895 (view as bug list)
Depends On: 561828
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-19 11:22 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:31 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-31 06:58:59 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0221 0 normal SHIPPED_LIVE Low: squid security and bug fix update 2010-03-29 12:32:22 UTC

Description Jan Lieskovsky 2009-08-19 11:22:25 UTC
A denial of service flaw was found in the way Squid used to process
certain external ACL helper HTTP-Header fields (%{header:<delimiter>member}), where <delimiter> is not a comma. Remote attacker could use this flaw
to cause an excessive CPU use by issuing such a request to the Squid
server. 

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2855 to
this vulnerability:
------------------------------------------------------------------------------

The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7
allows remote attackers to cause a denial of service via a crafted
auth header with certain comma delimiters that trigger an infinite
loop of calls to the strcspn function.

References:
-----------
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2855
[2] http://www.openwall.com/lists/oss-security/2009/07/20/10
[3] http://www.openwall.com/lists/oss-security/2009/08/03/3
[4] http://www.openwall.com/lists/oss-security/2009/08/04/6
[5] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31;filename=diff;att=1;bug=534982
[6] http://www.squid-cache.org/bugs/show_bug.cgi?id=2704
[7] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982

Note: The proposed patch from Debian [6] isn't the upstream one.
      Please wait, while upstream confirms it or comes with another
      one.

Upstream bug report:
--------------------

    http://www.squid-cache.org/bugs/show_bug.cgi?id=2541

Comment 1 Henrik Nordström 2009-08-19 11:59:59 UTC
Upstream resport updated.

Correction to description: It's not related to auth but the use of external_acl_type %{header:<delimiter>member} where <delimiter> is not a comma. This is most often used for extracting cookie details for use in access controls.

The debian proposed patch is not correct, and was never reported upstream. But there is another patch reported upstream which is on the right track.

Comment 2 Jan Lieskovsky 2009-08-19 12:38:26 UTC
(In reply to comment #1)
> Upstream resport updated.

Hello Henrik,
  
  thank you for your prompt reaction. 

> 
> Correction to description: It's not related to auth but the use of
> external_acl_type %{header:<delimiter>member} where <delimiter> is not a comma.
> This is most often used for extracting cookie details for use in access
> controls.

Ok, will find out more background details from the relevant, affected
code and change it.

> 
> The debian proposed patch is not correct, and was never reported upstream. But
> there is another patch reported upstream which is on the right track.  

Which of the two patches is considered to be applied by upstream?:

    http://www.squid-cache.org/bugs/attachment.cgi?id=1854

or the second one:

    http://www.squid-cache.org/bugs/show_bug.cgi?id=2541#c1

Both of them don't seem to affect not only Squid 2.7 (as mentioned in the CVE
description), but also older versions (found same relevant code parts also
in squid-2.5.STABLE3, squid-2.5.STABLE14 and also squid-2.6.STABLE21) --
could you confirm?

Also -- is the comma as separator the only problematic case, or should we
consider also handling of "?,", "\", "\\" cases within the patch?

Thanks, Jan.

Comment 3 Henrik Nordström 2009-08-19 15:07:55 UTC
Thanks for the reminder. I hadn't noticed the debian bug report, and the other report with a patch that is on the right track had a bad subject which made it go unnoticed as well..

As already commented by Alex the suggestion by Amos is not correct. The attachment is more in line with the needed changes. I have not yet studied the code to say if that patch is fine as it is or need cleanup before commit.

The issue affects most Squid versions sine that format was introduced in external_acl_type, 2.6 is quite likely affected as well.

Comment 4 Vincent Danen 2009-08-24 14:26:00 UTC
*** Bug 509895 has been marked as a duplicate of this bug. ***

Comment 5 Henrik Nordström 2009-08-24 21:38:27 UTC
A fix for this is available in Squid-2.HEAD since some days. Should backport easily to earlier releases, and will get backported to 2.7 and maybe 2.6 in the next upstream maintenance round.

http://www.squid-cache.org/Versions/v2/HEAD/changesets/12541.patch


A sample test case is as follows:

-- test-helper.sh (executable) ---
#!/bin/sh
while read line; do
  echo OK
done
-- end test-helper.sh

-- squid.conf  (before where access is normally allowed) --
external_acl_type test %{Test:;test} /path/to/test-helper.sh
acl test external test
http_access deny !test
-- end squid.conf --

-- test command --
/usr/bin/squidclient -H "Test: a, b, test=test\n" http://www.squid-cache.org/
-- end test command --

Regards
Henrik

Comment 7 Jan Lieskovsky 2009-09-11 13:04:44 UTC
This issue does NOT affect the versions of the Squid package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue affects the version of the Squid package, as shipped
with Red Hat Enterprise Linux 5.

This issue does NOT affect the versions of the Squid package, as shipped
with Fedora releases of 10 and 11.

Comment 8 Jan Lieskovsky 2009-09-11 13:06:17 UTC
Official statement from Red Hat Security Response Team regarding this issue:
----------------------------------------------------------------------------

The Red Hat Security Response Team has rated this issue as having low security impact, a future Squid package update may address this flaw in Red Hat Enterprise Linux 5. More information regarding issue severity can be found here:
http://www.redhat.com/security/updates/classification/

Comment 10 errata-xmlrpc 2010-03-30 08:18:19 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0221 https://rhn.redhat.com/errata/RHSA-2010-0221.html


Note You need to log in before you can comment on or make changes to this bug.