Bug 1216398 - VUL-0: squid: 55 vulnerabilities and 35 0days
Summary: VUL-0: squid: 55 vulnerabilities and 35 0days
Status: CONFIRMED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/382407/
Whiteboard:
Keywords:
Depends on: CVE-2021-31807 1216399
Blocks:
  Show dependency treegraph
 
Reported: 2023-10-19 06:40 UTC by Alexander Bergmann
Modified: 2024-04-19 10:05 UTC (History)
7 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
amajer: needinfo?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-10-19 06:40:06 UTC 
https://megamansec.github.io/Squid-Security-Audit/

Squid-Security-Audit
====================
Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days

In February 2021, I started looking for vulnerabilities in forward-proxies, and found various issues in Squid. Some more information about what’s here can be found on my blog: https://joshua.hu/squid-security-audit-35-0days-45-exploits

Explanations and reproducers for each of the vulnerabilities are documented in each of the markdown files. IDs are assigned where possible, however since the majority of these remain unfixed, there are no identifiers.

The Squid Team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues. Hammering them with demands to fix the issues won’t get far.

With any system or project, it is important to reguarly review solutions used in your stack to determine whether they are still appropriate. If you are running Squid in an environment which may suffer from any of these issues, then it is up to you to reassess whether Squid is the right solution for your system.

------------------
A detailed list of vulnerabilities can be found via the link above.
Comment 1 Alexander Bergmann 2023-10-19 06:54:55 UTC 
Already fixed issues:

bsc#1185918: CVE-2021-28652: squid,squid3:
SQUID-2021:3 Denial of Service issue in Cache Manager

bsc#1185921: CVE-2021-28651: squid,squid3:
SQUID-2021:1 Denial of Service in URN processing

bsc#1200907: CVE-2021-46784: squid:
DoS when processing gopher server responses

bsc#1185919: CVE-2021-28662: squid,squid3:
SQUID-2021:2 Denial of Service in HTTP Response Processing

bsc#1185916: CVE-2021-31806: squid,squid3:
SQUID-2021:4 Multiple Issues in HTTP Range header

bsc#1186654: CVE-2021-33620: squid:
denial of service in HTTP response processing


New created bugs:

bsc#1216399: CVE-2021-31808: squid:
Integer Overflow in Range Header

bsc#1216400: CVE-2021-31807: squid:
Partial Content Parsing Use-After-Free
Comment 6 Alexander Bergmann 2023-10-23 12:18:31 UTC 
Here are 4 bug reports created from the GitHub Security Advisories (GHSA):

GHSA-2g3c-pg7q-g59w: bsc#1216498: squid: Denial of Service in FTP
GHSA-cg5h-v6vc-w33f: bsc#1216497: squid: Denial of Service in Gopher gateway
GHSA-543m-w2m2-g255: bsc#1216496: squid: Multiple issues in HTTP response 
                                         caching
GHSA-phqj-m8gv-cq4g: bsc#1216495: squid: Denial of Service in HTTP Digest 
                                         Authentication


Plus one extra GHSA that was not part of the 55 vulnerabilities:

GHSA-j83v-w3p4-5cqh: bsc#1216500: squid: Request/Response smuggling in HTTP/1.1 
                                         and ICAP
Comment 7 Artem Shiliaev 2023-11-22 14:02:55 UTC 
From the SUMA perspective, that's a well known vulnerability, we are just consumers of squid from SLE, so we just need to wait.