Bug 1216496 (CVE-2023-5824)

Summary: VUL-0: CVE-2023-5824: squid: Multiple issues in HTTP response caching (SQUID-2023:2)
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Adam Majer <amajer>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382741/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-5824:9.6:(AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-10-23 11:49:05 UTC 
https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255

Package: squid
Affected versions: < 6.4
Patched versions: 6.4

Description:
Due to an Improper Handling of Structural Elements bug Squid is vulnerable to a Denial of Service attack against HTTP and HTTPS clients.

Due to an Incomplete Filtering of Special Elements bug Squid is vulnerable to a Denial of Service attack against HTTP and HTTPS clients.

Severity:
The limits applied for validation of HTTP Response headers are applied before caching. Different limits may be in place at the later cache HIT usage of that response.

The limits applied for validation of HTTP Response headers are applied to each received server response. Squid may grow a cached HTTP Response header with HTTP 304 updates beyond the configured maximum header size.

Subsequent parsing to de-serialize a large header from disk cache can stall or crash the worker process. Resulting in Denial of Service to all clients using the proxy.

CVSS Score of 9.6
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H&version=3.1

Updated Packages:
This bug is fixed by Squid version 6.4.

In addition, patches addressing this problem for the stable
releases can be found in our patch archives:

Squid 6:
http://www.squid-cache.org/Versions/v6/SQUID-2023_2.patch

If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.

Determining if your version is vulnerable:
Squid older than v5 have not been tested and are presumed
vulnerable.

Squid v5.x up to and including 5.9 are vulnerable.

Squid v6.x up to and including 6.3 are vulnerable.

Workaround:
Disable disk caching by removing all cache_dir directives from
squid.conf.
Comment 1 Alexander Bergmann 2023-10-25 15:21:11 UTC 
There is currently no patch for v5 and previous. The v6 patch introduced quite some code changes that prevents, without a deep understanding of the code, a simple backport.

However, the original blog post states that "Of course, such ‘attacks’ are completely theoretical and are only considered for entertainment purposes." [1]

We will keep this bug open until a defined solution was published. In the meantime, if you are unsure about the implications, consider to remove all the cache_dir directives from your configuration.

References:
[1] https://megamansec.github.io/Squid-Security-Audit/cache-headers.html
Comment 2 Alexander Bergmann 2023-10-27 13:53:17 UTC 
CVE-2023-5824 was assigned to this issue.
Comment 3 OBSbugzilla Bot 2023-11-02 11:15:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1216496) was mentioned in
https://build.opensuse.org/request/show/1122203 Factory / squid