Bug 1216500 (CVE-2023-46846)

Summary: VUL-0: CVE-2023-46846: squid: Request/Response smuggling in HTTP/1.1 and ICAP (SQUID-2023:1)
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: abergmann, amajer, rfrohl, stoyan.manolov, thomas.leroy
Version: unspecifiedFlags: rfrohl: needinfo?
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382744/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46846:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-10-23 12:16:52 UTC 
https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh

Package: squid
Affected versions: 2.6-6.3
Patched versions: 6.4

Description:
Due to chunked decoder lenience Squid is vulnerable to Request/Response smuggling attacks when parsing HTTP/1.1 and ICAP messages.

Severity:
This problem allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems when the upstream server interprets the chunked encoding syntax differently from Squid.

This attack is limited to the HTTP/1.1 and ICAP protocols which support receiving Transfer-Encoding:chunked.

CVSS Score of 9.3
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N&version=3.1

Updated Packages:
This bug is fixed by Squid version 6.4.

In addition, patches addressing this problem for the stable
releases can be found in our patch archives:

Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2023_1.patch

Squid 6:
http://www.squid-cache.org/Versions/v6/SQUID-2023_1.patch

If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages.

Determining if your version is vulnerable:
Squid older than 5.1 have not been tested and should be assumed to be vulnerable.
All Squid-5.x up to and including 5.9 are vulnerable.
All Squid-6.x up to and including 6.3 are vulnerable.

Workaround:
* ICAP issues can be reduced by ensuring only trusted ICAP services are used, 
  with TLS encrypted connections (ICAPS extension).
* There is no workaround for the HTTP Request Smuggling issue.
Comment 1 Thomas Leroy 2023-10-24 14:48:14 UTC 
The fix is likely this commit:
https://github.com/squid-cache/squid/commit/6cfa10d94ca15a764a1d975597d8024582ef19be

All codestreams are affected.

No workaround for HTTP, but the request smuggling can be limited for ICAP by allowing ICAPS only.
Comment 2 Alexander Bergmann 2023-10-27 14:02:31 UTC 
CVE-2023-46846 was added to this issue.
Comment 3 Thomas Leroy 2023-10-30 14:07:26 UTC 
Upstream patches link are accessible this time:
http://www.squid-cache.org/Versions/v5/SQUID-2023_1.patch
http://www.squid-cache.org/Versions/v6/SQUID-2023_1.patch
Comment 5 OBSbugzilla Bot 2023-11-02 11:15:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1216500) was mentioned in
https://build.opensuse.org/request/show/1122203 Factory / squid
Comment 7 Maintenance Automation 2023-11-06 16:30:07 UTC 
SUSE-SU-2023:4381-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216495, 1216498, 1216500, 1216803
CVE References: CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): squid-4.17-4.30.1
SUSE Linux Enterprise Server 12 SP5 (src): squid-4.17-4.30.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): squid-4.17-4.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-11-06 16:30:11 UTC 
SUSE-SU-2023:4380-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216495, 1216498, 1216500, 1216803
CVE References: CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848
Sources used:
openSUSE Leap 15.4 (src): squid-5.7-150400.3.12.1
openSUSE Leap 15.5 (src): squid-5.7-150400.3.12.1
Server Applications Module 15-SP4 (src): squid-5.7-150400.3.12.1
Server Applications Module 15-SP5 (src): squid-5.7-150400.3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-11-08 12:30:02 UTC 
SUSE-SU-2023:4384-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1216495, 1216498, 1216500, 1216803
CVE References: CVE-2023-46724, CVE-2023-46846, CVE-2023-46847, CVE-2023-46848
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): squid-4.17-150000.5.38.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): squid-4.17-150000.5.38.1
SUSE Enterprise Storage 7.1 (src): squid-4.17-150000.5.38.1
SUSE CaaS Platform 4.0 (src): squid-4.17-150000.5.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Robert Frohl 2024-03-22 10:51:26 UTC 
done, closing