Bug 1113669 (CVE-2018-19132)

Summary: VUL-0: CVE-2018-19132: squid: small memory leak in processing of SNMP packets
Product: [Novell Products] SUSE Security Incidents Reporter: Karol Babioch <karol>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: atoptsoglou, gniebler, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/218198/
Whiteboard: CVSSv3:SUSE:CVE-2018-19132:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Karol Babioch 2018-10-29 08:10:38 UTC 
* A small memory leak (CWE-400, CWE-401, CWE-772) in processing of SNMP
packets can be abused by remote attackers to consume large amounts of
memory over a short time.

Under testing this lead to Squid crashing and direct denial of service
to clients using the proxy. Also, in Linux environments with default
virtual memory allocation policies it lead to complete consumption of
the machines available memory and denial of service to other
applications using the same server. In these latter situations a hard
restart of the server may be necessary to recover.

Affected versions:
 Squid 3.2.0.10 -> 3.5.28
 Squid 4.x -> 4.3

Squid 3.2.0.9 and older (including Squid-2.x) are not vulnerable.

This issue is limited to Squid receiving SNMP traffic. So builds using
--disable-snmp are not at all vulnerable.

Builds not configured to receive SNMP (default, absent, or '0' values
for snmp_port) are not immediately vulnerable, but may becomes so with
simple configuration changes.


The patch for Squid-3.5 should apply relatively cleanly to all v3.x
affected versions.

<http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-bc9786119f058a76ddf0625424bc33d36460b9a2.patch>

<http://www.squid-cache.org/Versions/v4/changesets/squid-4-983c5c36e5f109512ed1af38a329d0b5d0967498.patch>

<http://www.squid-cache.org/Versions/v5/changesets/squid-5-644131ff1e00c1895d77561f561d29c104ba6b11.patch>

<http://www.squid-cache.org/Advisories/SQUID-2018_5.txt>
Comment 1 Adam Majer 2018-10-29 12:47:47 UTC 
Fixes ready, pending CVE numbers.
Comment 2 Karol Babioch 2018-11-09 09:32:26 UTC 
Requested CVE Mitre, let's see if they are willing to assign one for this, since nothing is happening on the DWF front.
Comment 3 Karol Babioch 2018-11-09 10:18:00 UTC 
Mitre has assigned CVE-2018-19132 for this.
Comment 6 Adam Majer 2018-11-09 16:13:06 UTC 
Fixes submitted to all affected codestreams. Reassigning to security team
Comment 7 Swamp Workflow Management 2018-11-15 17:10:37 UTC 
SUSE-SU-2018:3771-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1082318,1112066,1112695,1113668,1113669
CVE References: CVE-2018-19131,CVE-2018-19132
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    squid-3.5.21-26.12.1
Comment 8 Swamp Workflow Management 2018-11-16 20:18:33 UTC 
SUSE-SU-2018:3786-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1082318,1112066,1112695,1113668,1113669
CVE References: CVE-2018-19131,CVE-2018-19132
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    squid-4.4-5.3.2
Comment 9 Swamp Workflow Management 2018-11-20 20:21:52 UTC 
openSUSE-SU-2018:3818-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1082318,1112066,1112695,1113668,1113669
CVE References: CVE-2018-19131,CVE-2018-19132
Sources used:
openSUSE Leap 15.0 (src):    squid-4.4-lp150.4.3.2
Comment 10 Swamp Workflow Management 2018-11-20 20:26:27 UTC 
openSUSE-SU-2018:3825-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1082318,1112066,1112695,1113668,1113669
CVE References: CVE-2018-19131,CVE-2018-19132
Sources used:
openSUSE Leap 42.3 (src):    squid-3.5.21-18.1
Comment 11 Swamp Workflow Management 2018-12-07 11:15:33 UTC 
SUSE-SU-2018:3771-2: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1082318,1112066,1112695,1113668,1113669
CVE References: CVE-2018-19131,CVE-2018-19132
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    squid-3.5.21-26.12.1
Comment 12 Swamp Workflow Management 2019-05-08 11:30:30 UTC 
This is an autogenerated message for OBS integration:
This bug (1113669) was mentioned in
https://build.opensuse.org/request/show/701549 Factory / squid
Comment 14 Wolfgang Frisch 2020-10-19 16:08:23 UTC 
SLE12 has reached its end-of-life.
Resolved.