Bug 1216742

Summary: VUL-0: squid: Use-After-Free in Cache Manager Errors
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Adam Majer <amajer>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/383650/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Base64 encoded reproducer

Description Alexander Bergmann 2023-10-31 11:42:05 UTC 
Created attachment 870536 [details]
Base64 encoded reproducer

https://megamansec.github.io/Squid-Security-Audit/cache-uaf.html

Squid-Security-Audit

Use-After-Free in Cache Manager Errors

Squid’s internal ‘CacheManager’ is used by administrators to help debug issues and learn information about Squid’s cache and running statistics. It can be accessed through the general scheme cache_object://, such as cache_object://mycache.example.com/info.

More details inside the squid security audit.

Reproducer:

you need 2 systems: 
- squid (192.168.0.1)
- lynx client (192.168.0.3)

1. Install and start squid on a dedicated system. Add the following 
   configuration lines.

   http_port 2222
   cache allow all
   http_reply_access allow all
   uri_whitespace encode
   http_access allow all
   reply_body_max_size 6000

2. On the squid server run a strace command on the (squid-1) command.

   # strace -f -p <squid-1 PID>

3. Run the following nc command.

   # base64 -d PoC_Cache_Manager_Errors.base64 | nc 192.168.0.1 2222

Now you should see that the (squid-1) process got killed.

--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=31952, si_uid=469} ---
+++ killed by SIGABRT (core dumped) +++
Comment 1 Alexander Bergmann 2023-10-31 11:44:38 UTC 
Currently there is no patch available.

The access to the Cache Manager port should be restricted and not be available to the public. Please use best practice to limit the access to only authorized persons.