Bug 556389 (CVE-2010-0308, SQUID-2010:1) - CVE-2010-0308 squid: temporary DoS (assertion failure) triggered by truncated DNS packet (SQUID-2010:1)
Summary: CVE-2010-0308 squid: temporary DoS (assertion failure) triggered by truncated...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0308, SQUID-2010:1
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 561743 561811 561828
Blocks: 580448
TreeView+ depends on / blocked
 
Reported: 2010-01-18 08:30 UTC by Tomas Hoger
Modified: 2019-09-29 12:33 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-27 17:38:27 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0221 normal SHIPPED_LIVE Low: squid security and bug fix update 2010-03-29 12:32:22 UTC

Description Tomas Hoger 2010-01-18 08:30:15 UTC
Fabian Yamaguchi reported on 26C3 a flaw in squid's DNS client code, that can lead to a temporary denial of service condition.  A truncated ("header-only") DNS reply packet can cause squid child process to exit due to an assertion failure in rfc1035NameUnpack (lib/rfc1035.c):

  http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
  (see slide 70)

Parent squid process will spawn a new child process, so such abort will only result in temporary service unavailability.

Upstream patches, which should be included in the next releases:
  http://west.squid-cache.org/Versions/v3/HEAD/changesets/squid-3-10235.patch
  http://west.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch

Comment 1 Tomas Hoger 2010-01-18 08:42:30 UTC
This issue has a rather limited impact:

- temporary DoS, caused by safe abort(), rather than some memory-corruption crash

- squid does not send DNS requests to arbitrary DNS servers on the Internet, rather uses configured (trusted) resolvers, either read from resolv.conf or specified using dns_nameservers directive

- DNS packets from unknown resolvers are ignored by default (see ignore_unknown_nameservers)

- DNS port selected randomly at (child process) start-up

Therefore, an attacker needs to be able to spoof DNS packets with the source IP address of one of the configured resolvers (unless squid is configured with 'ignore_unknown_nameservers off'), needs to be able to determine or guess squid's outgoing DNS port (different port is likely to be used by re-spawned child) and the malicious packet(s) must not get blocked by any firewall.  These conditions should limit the attack to a local network.

Comment 2 Tomas Hoger 2010-01-18 08:53:48 UTC
Few additional clarifications:

- port guessing can be avoided by sending packets to all possible ports

- host firewall is easily bypassed when spoofing IP of the configured resolver, which is required to bypass 'ignore_unknown_nameservers on' default anyway


Possible mitigation:

- using local (127.0.0.1) caching nameserver and blocking all packets with loopback source IP address received on non-loopback interfaces

Comment 5 Jan Lieskovsky 2010-02-01 11:37:39 UTC
This issue affects the versions of the squid package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of the squid package, as shipped
with Fedora release of 11 and 12.

Comment 6 Jan Lieskovsky 2010-02-02 09:07:42 UTC
This is CVE-2010-0308.

Comment 8 Fedora Update System 2010-02-04 09:07:04 UTC
squid-3.0.STABLE23-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/squid-3.0.STABLE23-1.fc11

Comment 9 Fedora Update System 2010-02-04 09:10:55 UTC
squid-3.1.0.16-3.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/squid-3.1.0.16-3.fc12

Comment 10 Henrik Nordström 2010-02-04 09:13:10 UTC
The 3.0 patch has been updated since original release. Correct 3.0 patch is

   http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch

included in 3.0.STABLE23.

Comment 13 Martin Jürgens 2010-02-04 22:15:12 UTC
what about RHEL?

Comment 14 Tomas Hoger 2010-02-05 07:40:27 UTC
(In reply to comment #13)
> what about RHEL?    

https://www.redhat.com/security/data/cve/CVE-2010-0308.html

Issue will be fixed in the future squid updates.  Due to the very limited impact of this issue, immediate update is not planned.

Comment 15 Henrik Nordström 2010-02-06 23:53:41 UTC
F-12 update respun and tracked in Bug #561811

Comment 16 errata-xmlrpc 2010-03-30 08:18:23 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0221 https://rhn.redhat.com/errata/RHSA-2010-0221.html


Note You need to log in before you can comment on or make changes to this bug.