Bug 1134209 (CVE-2014-3609) - CVE-2014-3609 squid: assertion failure in Range header processing (SQUID-2014:2)
Summary: CVE-2014-3609 squid: assertion failure in Range header processing (SQUID-2014:2)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3609
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1134658 1134933 1134934 1134936 1134937 1134976 1134977
Blocks: 1134214
TreeView+ depends on / blocked
 
Reported: 2014-08-27 06:47 UTC by Murray McAllister
Modified: 2023-05-12 04:53 UTC (History)
4 users (show)

Fixed In Version: squid 3.4.7, squid 3.3.13
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.
Clone Of:
Environment:
Last Closed: 2014-09-04 08:01:51 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1147 0 normal SHIPPED_LIVE Important: squid security update 2014-09-03 22:45:21 UTC
Red Hat Product Errata RHSA-2014:1148 0 normal SHIPPED_LIVE Important: squid security update 2014-09-03 21:43:04 UTC

Description Murray McAllister 2014-08-27 06:47:49 UTC
A denial of service flaw was found in Squid's Range header processing. An attacker could send crafted requests that would cause Squid to crash with an assertion.

A patch is available from the following:

http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-13555.patch

For a workaround, upstream says to add the following to squid.conf above any "http_access allow" lines:

 acl validRange req_header Range \
  ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$

 acl validRange req_header Request-Range \
  ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$

 http_access deny !validRange

External References:

http://www.squid-cache.org/Advisories/SQUID-2014_2.txt

Acknowledgements:

Red Hat would like to thank the Squid project for reporting this issue. Upstream acknowledges Matthew Daley as the original reporter.

Comment 2 Murray McAllister 2014-08-28 04:02:11 UTC
This issue is public now:

http://www.squid-cache.org/Advisories/

Comment 3 Murray McAllister 2014-08-28 04:04:39 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1134658]

Comment 4 Tomas Hoger 2014-08-28 09:35:15 UTC
Upstream commit:
http://bazaar.launchpad.net/~squid/squid/trunk/revision/13555

Comment 5 Tomas Hoger 2014-08-28 12:38:04 UTC
This issue causes squid to exit unexpectedly with an assertion failure after processing the malformed Range HTTP header.  Terminated child process is re-spawned shortly by the master process, causing temporary service unavailability.  If attacker is able to trigger these crashes frequently, they can cause squid to exit after multiple repeated restarts, causing a full service DoS.

In addition to 3.x versions still supported upstream, this also affects older 2.x versions, such as the version shipped in Red Hat Enterprise Linux 5.  The workaround from the upstream advisory (noted in comment 0) can also be used with the squid version shipped with Red Hat Enterprise Linux 5 to mitigate this issue.

Comment 11 Martin Prpič 2014-09-03 08:27:49 UTC
IssueDescription:

A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.

Comment 12 errata-xmlrpc 2014-09-03 17:43:21 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:1148 https://rhn.redhat.com/errata/RHSA-2014-1148.html

Comment 13 errata-xmlrpc 2014-09-03 18:45:40 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1147 https://rhn.redhat.com/errata/RHSA-2014-1147.html

Comment 14 Fedora Update System 2014-09-05 22:21:15 UTC
squid-3.3.13-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2014-09-10 13:26:11 UTC
squid-3.3.13-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2014-09-23 04:45:38 UTC
squid-3.4.7-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.