Bug 1770356 (CVE-2019-12526) - CVE-2019-12526 squid: Heap overflow issue in URN processing
Summary: CVE-2019-12526 squid: Heap overflow issue in URN processing
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-12526
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1770357 1771263 1771264
Blocks: 1770358
TreeView+ depends on / blocked
 
Reported: 2019-11-08 19:50 UTC by Pedro Sampaio
Modified: 2023-03-24 15:57 UTC (History)
7 users (show)

Fixed In Version: squid 4.9
Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow was found in the way squid processed certain Uniform Resource Names (URNs). A remote attacker could use this flaw to cause Squid to crash or execute arbitrary code with the permissions of the user running Squid.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:22:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4743 0 None None None 2020-11-04 03:31:21 UTC

Description Pedro Sampaio 2019-11-08 19:50:22 UTC 
Due to incorrect buffer management Squid is vulnerable to a heap overflow and possible remote code execution attack when processing URN.

References:

http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
Comment 1 Pedro Sampaio 2019-11-08 19:50:36 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1770357]
Comment 2 Huzaifa S. Sidhpurwala 2019-11-12 04:53:18 UTC 
External References:

http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
Comment 3 Huzaifa S. Sidhpurwala 2019-11-12 04:53:21 UTC 
Mitigation:

The following mitigation is suggested by upstream:

Deny urn: protocol URI being proxied to all clients:
~~~
    acl URN proto URN
    http_access deny URN
~~~
Comment 4 Huzaifa S. Sidhpurwala 2019-11-12 05:05:49 UTC 
Analysis:

This is a heap-based buffer overflow, which can be triggered by a malicious client. The client can overwrite substantial amount of heap potentially causing squid to crash or even execute arbitrary code with the permissions of the user running squid (normally squid user which is non-privileged). Also on Red Hat Products, squid is confined with selinux which should reduce the possibilities of code execution.

Because of the above mentioned difficulties in exploitation, Red Hat Product Security has classified this flaw as having Moderate impact.
Comment 5 Huzaifa S. Sidhpurwala 2019-11-12 05:05:52 UTC 
Statement:

This is a heap-based buffer overflow, which can be triggered by a malicious client. The client can overwrite substantial amount of heap potentially causing squid to crash or even execute arbitrary code with the permissions of the user running squid (normally squid user which is non-privileged). Also on Red Hat Products, squid is confined with selinux which should reduce the possibilities of code execution.

Because of the above mentioned difficulties in exploitation, Red Hat Product Security has classified this flaw as having Moderate impact.
Comment 7 Huzaifa S. Sidhpurwala 2019-11-12 05:15:10 UTC 
Upstream patch: http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch
Comment 8 Product Security DevOps Team 2020-11-04 02:22:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12526
Comment 9 errata-xmlrpc 2020-11-04 03:31:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743
Note You need to log in before you can comment on or make changes to this bug.