Bug 1216398

Summary: VUL-0: squid: 55 vulnerabilities and 35 0days
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: CONFIRMED --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, amajer, artem.shiliaev, marina.latini, mark.harvey, meissner, oholecek
Version: unspecifiedFlags: amajer: needinfo?
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382407/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1216400, 1216399    
Bug Blocks:    

Description Alexander Bergmann 2023-10-19 06:40:06 UTC 
https://megamansec.github.io/Squid-Security-Audit/

Squid-Security-Audit
====================
Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days

In February 2021, I started looking for vulnerabilities in forward-proxies, and found various issues in Squid. Some more information about what’s here can be found on my blog: https://joshua.hu/squid-security-audit-35-0days-45-exploits

Explanations and reproducers for each of the vulnerabilities are documented in each of the markdown files. IDs are assigned where possible, however since the majority of these remain unfixed, there are no identifiers.

The Squid Team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues. Hammering them with demands to fix the issues won’t get far.

With any system or project, it is important to reguarly review solutions used in your stack to determine whether they are still appropriate. If you are running Squid in an environment which may suffer from any of these issues, then it is up to you to reassess whether Squid is the right solution for your system.

------------------
A detailed list of vulnerabilities can be found via the link above.
Comment 1 Alexander Bergmann 2023-10-19 06:54:55 UTC 
Already fixed issues:

bsc#1185918: CVE-2021-28652: squid,squid3:
SQUID-2021:3 Denial of Service issue in Cache Manager

bsc#1185921: CVE-2021-28651: squid,squid3:
SQUID-2021:1 Denial of Service in URN processing

bsc#1200907: CVE-2021-46784: squid:
DoS when processing gopher server responses

bsc#1185919: CVE-2021-28662: squid,squid3:
SQUID-2021:2 Denial of Service in HTTP Response Processing

bsc#1185916: CVE-2021-31806: squid,squid3:
SQUID-2021:4 Multiple Issues in HTTP Range header

bsc#1186654: CVE-2021-33620: squid:
denial of service in HTTP response processing


New created bugs:

bsc#1216399: CVE-2021-31808: squid:
Integer Overflow in Range Header

bsc#1216400: CVE-2021-31807: squid:
Partial Content Parsing Use-After-Free
Comment 6 Alexander Bergmann 2023-10-23 12:18:31 UTC 
Here are 4 bug reports created from the GitHub Security Advisories (GHSA):

GHSA-2g3c-pg7q-g59w: bsc#1216498: squid: Denial of Service in FTP
GHSA-cg5h-v6vc-w33f: bsc#1216497: squid: Denial of Service in Gopher gateway
GHSA-543m-w2m2-g255: bsc#1216496: squid: Multiple issues in HTTP response 
                                         caching
GHSA-phqj-m8gv-cq4g: bsc#1216495: squid: Denial of Service in HTTP Digest 
                                         Authentication


Plus one extra GHSA that was not part of the 55 vulnerabilities:

GHSA-j83v-w3p4-5cqh: bsc#1216500: squid: Request/Response smuggling in HTTP/1.1 
                                         and ICAP
Comment 7 Artem Shiliaev 2023-11-22 14:02:55 UTC 
From the SUMA perspective, that's a well known vulnerability, we are just consumers of squid from SLE, so we just need to wait.