Bug 1139715 (CVE-2014-7141) - CVE-2014-7141 squid: pinger OOB array index flaw in handling of ICMP replies (SQUID-2014:4)
Summary: CVE-2014-7141 squid: pinger OOB array index flaw in handling of ICMP replies ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-7141
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1139721
Blocks: 1139719
TreeView+ depends on / blocked
 
Reported: 2014-09-09 13:49 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 06:14 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-10 19:14:24 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2014-09-09 13:49:20 UTC
It was discovered [1] that pinger code that checks for nodes being alive doesn't
properly validate ICMP and ICMPv6 replies, in particular icmp6 types which are used to index into a string array. This could cause crashes when the index is OOB.

CVE reuqested at [1] too, and a patch is available at [2].

It looks like you can only DoS the pinger sub-system, not the whole squid though.

[1]: http://seclists.org/oss-sec/2014/q3/539
[2]: https://bugzilla.novell.com/show_bug.cgi?id=891268

Comment 1 Vasyl Kaigorodov 2014-09-09 13:52:00 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1139721]

Comment 2 Tomas Hoger 2014-09-10 19:14:24 UTC
This issue affects handling of ICMPv6 replies.  The code uses an ICMP type value from the received packet, ands the value with 0x7f (i.e. limiting the value to 127) and uses the result as index to icmp6HighPktStr[] or icmp6LowPktStr[] array when generating debug message.

http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp6.cc#L293

Those are static .bss arrays with 33 or 10 times respectively:

http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp6.cc#L51

leading to an out-of-bounds read.  Maximum overread is 127-10 * sizeof(char*).  This may lead to crash if reaches unmapped memory.

Affected code was first introduced in Squid 3, hence Squid 2 versions (shipped with Red Hat Enterprise Linux 5 and earlier) are not affected.

This problem exists in the source of the squid packages shipped in Red Hat Enterprise Linux 6 and 7, and current Fedora.  However, it is not built.  It is only built when building program called "pinger".  This program is not built or included in squid packages in Red Hat Enterprise Linux or Fedora.  Also, as the crash can only affect external program, not the main Squid process, it is unclear if it could have any security impact at all.

Statement:

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not provide the vulnerable program "pinger".

Comment 3 Tomas Hoger 2014-09-18 20:35:20 UTC
(In reply to Tomas Hoger from comment #2)
> This issue affects handling of ICMPv6 replies.

There is actually similar bug in the ICMP(v4) handling code:

http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp4.cc#L248
http://bazaar.launchpad.net/~squid/squid/trunk/view/13573/src/icmp/Icmp4.cc#L44

icmpPktStr[] is an array with 18 items, while icmp_type used as index to this array is an 8-bit value that is taken form the received packet without further validation, leading to overread of up to (256-18) * sizeof(char*).

Unlike the issue in the ICMPv6 code, ICMPv4 issue exists in Squid 2.x versions.  However, as noted above, it is only used by the pinger program not included in squid packages in Red Hat Enterprise Linux or Fedora.

Comment 4 Tomas Hoger 2014-09-22 13:03:21 UTC
Upstream commit:

http://bazaar.launchpad.net/~squid/squid/trunk/revision/13583

Comment 5 Vasyl Kaigorodov 2014-09-23 08:52:57 UTC
2 CVEs were assigned to this issue at http://seclists.org/oss-sec/2014/q3/626 :

> > 1. "used to index into a string array" possibly corresponds to
> > http://cwe.mitre.org/data/definitions/129.html [Open URL] for the modified
> > default case after case 136, and approximately two other places in the
> > patch
>
> Use CVE-2014-7141.
>
> > 3. added "if (preply.psize) < 0" code apparently corresponds to a more
> > general issue with missing data validation
>
> Use CVE-2014-7142.

Comment 6 Murray McAllister 2014-10-01 06:18:11 UTC
External References:

http://www.squid-cache.org/Advisories/SQUID-2014_4.txt

Comment 7 Tomas Hoger 2014-10-01 08:23:27 UTC
(In reply to Vasyl Kaigorodov from comment #5)
> > > 3. added "if (preply.psize) < 0" code apparently corresponds to a more
> > > general issue with missing data validation
> >
> > Use CVE-2014-7142.

The CVE-2014-7142 does not belong here, this bug only covers CVE-2014-7141.

Comment 8 Vincent Danen 2014-10-02 13:31:15 UTC
See bug #1148832 for information on CVE-2014-7142.


Note You need to log in before you can comment on or make changes to this bug.