Bugzilla – Bug 1173304
VUL-0: CVE-2020-14059: squid: denial of service issue in TLS Handshake
Last modified: 2022-10-13 13:50:16 UTC
__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2020:6 __________________________________________________________________ Advisory ID: | SQUID-2020:6 Date: | June 19, 2020 Summary: | Denial of Service issue in TLS Handshake Affected versions: | Squid 3.1 -> 3.5.28 | Squid 4.x -> 4.11 | Squid 5.x -> 5.0.2 Fixed in version: | Squid 4.12 and 5.0.3 __________________________________________________________________ <http://www.squid-cache.org/Advisories/SQUID-2020_6.txt> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14058> <https://github.com/squid-cache/squid/security/advisories/GHSA-qvf6-485q-vm57> __________________________________________________________________ Problem Description: Due to use of a potentially dangerous function Squid and the default certificate validation helper are vulnerable to a Denial of Service attack when processing TLS certificates. __________________________________________________________________ Severity: This problem allows a trusted client to perform Denial of Service when opening TLS connections with a server for HTTPS. This problem allows a trusted client to perform Denial of Service when opening TLS connections to a server for SSL-Bump intercepted transactions. This attack is limited to Squid built with OpenSSL features and opening peer or server connections for HTTPS traffic and SSL-Bump server handshakes. CVSS Score of 8.3 <https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:X/IR:X/AR:H/MAV:N/MAC:H/MPR:N/MUI:X/MS:C/MC:N/MI:N/MA:H&version=3.1> __________________________________________________________________ Updated Packages: This bug is fixed by Squid versions 4.12 and 5.0.3. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 4: <http://www.squid-cache.org/Versions/v4/changesets/squid-4-93f5fda134a2a010b84ffedbe833d670e63ba4be.patch> Squid 5: <http://www.squid-cache.org/Versions/v5/changesets/squid-5-c6d1a4f6a2cbebceebc8a3fcd8f539ceb7b7f723.patch> If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All Squid-2.x up to and including 2.7.STABLE9 are not vulnerable. All Squid-3.x up to and including 3.4.14 built without --enable-openssl are not vulnerable. All Squid-3.x up to and including 3.4.14 built with --disable-openssl are not vulnerable. All Squid-3.x up to and including 3.4.14 built with --enable-openssl are vulnerable. All Squid-3.5 up to and including 3.5.28 built without --with-openssl are not vulnerable. All Squid-3.5 up to and including 3.5.28 built with --without-openssl are not vulnerable. All Squid-3.5 up to and including 3.5.28 built with --with-openssl are vulnerable. All Squid-4.x up to and including 4.11 built without --with-openssl are not vulnerable. All Squid-4.x up to and including 4.11 built with --without-openssl are not vulnerable. All Squid-4.x up to and including 4.11 built with --with-openssl are vulnerable. Squid-5.0.1 and 5.0.2 built without --with-openssl are not vulnerable. Squid-5.0.1 and 5.0.2 built with --without-openssl are not vulnerable. Squid-5.0.1 and 5.0.2 built with --with-openssl are vulnerable. __________________________________________________________________ Workaround: * For interception proxies using SSL-Bump functionality there is no workaround. * For reverse-proxy the GnuTLS support available in Squid-4 may provide sufficient functionality. The vulnerable certificate validator helper feature is not supported yet by GnuTLS builds. * Other installations just needing to relay HTTPS do not need OpenSSL support and should be able to run a build that does not have --with-openssl. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the <squid-users at lists.squid-cache.org> mailing list is your primary support point. For subscription details see <http://www.squid-cache.org/Support/mailing-lists.html>. For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used <http://bugs.squid-cache.org/>. For reporting of security sensitive bugs send an email to the <squid-bugs at lists.squid-cache.org> mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: This vulnerability was discovered by Dimitra Azariadi and Mario Galli of Open Systems AG. Fixed by Christos Tsantilas of The Measurement Factory. __________________________________________________________________ Revision history: 2020-03-04 09:31:23 UTC Initial Report 2020-05-15 04:54:54 UTC Patches Released __________________________________________________________________
This is an autogenerated message for OBS integration: This bug (1173304) was mentioned in https://build.opensuse.org/request/show/816822 Factory / squid
SUSE-SU-2020:1769-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1173304 CVE References: CVE-2020-14059 Sources used: SUSE Linux Enterprise Server for SAP 15 (src): squid-4.12-5.20.1 SUSE Linux Enterprise Server 15-LTSS (src): squid-4.12-5.20.1 SUSE Linux Enterprise Module for Server Applications 15-SP2 (src): squid-4.12-5.20.1 SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): squid-4.12-5.20.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): squid-4.12-5.20.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): squid-4.12-5.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:1770-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1173304 CVE References: CVE-2020-14059 Sources used: SUSE Linux Enterprise Server 12-SP5 (src): squid-4.12-4.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0910-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1173304 CVE References: CVE-2020-14059 Sources used: openSUSE Leap 15.1 (src): squid-4.12-lp151.2.21.1
openSUSE-SU-2020:0914-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1173304 CVE References: CVE-2020-14059 Sources used: openSUSE Leap 15.2 (src): squid-4.12-lp152.2.3.1
SUSE-SU-2020:1803-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1167373,1173304 CVE References: CVE-2019-18860,CVE-2020-14059 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): squid-3.5.21-26.26.1 SUSE OpenStack Cloud 8 (src): squid-3.5.21-26.26.1 SUSE OpenStack Cloud 7 (src): squid-3.5.21-26.26.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): squid-3.5.21-26.26.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): squid-3.5.21-26.26.1 SUSE Linux Enterprise Server 12-SP4 (src): squid-3.5.21-26.26.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): squid-3.5.21-26.26.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): squid-3.5.21-26.26.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): squid-3.5.21-26.26.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): squid-3.5.21-26.26.1 SUSE Enterprise Storage 5 (src): squid-3.5.21-26.26.1 HPE Helion Openstack 8 (src): squid-3.5.21-26.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done
squid3 in SLE11-SP1 still affected. Re-opening
I have just verified and squid3 is not affected for us because the OpenSSL version it is linked with does not have these additional error codes BUT if we ever have squid3 linked with openssl1 from the security module, it will be affected. squid3 as-is, - not affected squid3+openssl1 - affected so to make sure we are not affected in the future (in case squid3-openssl1 becomes reality), I will backport this fix too.
Following comment 10 Closing
SUSE-SU-2020:14460-1: An update that fixes 21 vulnerabilities is now available. Category: security (important) Bug References: 1140738,1141329,1141332,1156323,1156324,1156326,1156328,1156329,1162687,1162689,1162691,1167373,1169659,1170313,1170423,1173304,1173455 CVE References: CVE-2019-12519,CVE-2019-12520,CVE-2019-12521,CVE-2019-12523,CVE-2019-12524,CVE-2019-12525,CVE-2019-12526,CVE-2019-12528,CVE-2019-12529,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-18860,CVE-2020-11945,CVE-2020-14059,CVE-2020-15049,CVE-2020-8449,CVE-2020-8450,CVE-2020-8517 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): squid3-3.1.23-8.16.37.12.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): squid3-3.1.23-8.16.37.12.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): squid3-3.1.23-8.16.37.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.