1216496 – (CVE-2023-5824) VUL-0: CVE-2023-5824: squid: Multiple issues in HTTP response caching (SQUID-2023:2)

Bug 1216496 (CVE-2023-5824) - VUL-0: CVE-2023-5824: squid: Multiple issues in HTTP response caching (SQUID-2023:2)

Summary: VUL-0: CVE-2023-5824: squid: Multiple issues in HTTP response caching (SQUID-...

Status:	NEW

Alias:	CVE-2023-5824

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/382741/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-5824:9.6:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-10-23 11:49 UTC by Alexander Bergmann
Modified:	2023-11-13 14:30 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2023-10-23 11:49:05 UTC

https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255

Package: squid
Affected versions: < 6.4
Patched versions: 6.4

Description:
Due to an Improper Handling of Structural Elements bug Squid is vulnerable to a Denial of Service attack against HTTP and HTTPS clients.

Due to an Incomplete Filtering of Special Elements bug Squid is vulnerable to a Denial of Service attack against HTTP and HTTPS clients.

Severity:
The limits applied for validation of HTTP Response headers are applied before caching. Different limits may be in place at the later cache HIT usage of that response.

The limits applied for validation of HTTP Response headers are applied to each received server response. Squid may grow a cached HTTP Response header with HTTP 304 updates beyond the configured maximum header size.

Subsequent parsing to de-serialize a large header from disk cache can stall or crash the worker process. Resulting in Denial of Service to all clients using the proxy.

CVSS Score of 9.6
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H&version=3.1

Updated Packages:
This bug is fixed by Squid version 6.4.

In addition, patches addressing this problem for the stable
releases can be found in our patch archives:

Squid 6:
http://www.squid-cache.org/Versions/v6/SQUID-2023_2.patch

If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.

Determining if your version is vulnerable:
Squid older than v5 have not been tested and are presumed
vulnerable.

Squid v5.x up to and including 5.9 are vulnerable.

Squid v6.x up to and including 6.3 are vulnerable.

Workaround:
Disable disk caching by removing all cache_dir directives from
squid.conf.

Comment 1 Alexander Bergmann 2023-10-25 15:21:11 UTC

There is currently no patch for v5 and previous. The v6 patch introduced quite some code changes that prevents, without a deep understanding of the code, a simple backport.

However, the original blog post states that "Of course, such ‘attacks’ are completely theoretical and are only considered for entertainment purposes." [1]

We will keep this bug open until a defined solution was published. In the meantime, if you are unsure about the implications, consider to remove all the cache_dir directives from your configuration.

References:
[1] https://megamansec.github.io/Squid-Security-Audit/cache-headers.html

Comment 2 Alexander Bergmann 2023-10-27 13:53:17 UTC

CVE-2023-5824 was assigned to this issue.

Comment 3 OBSbugzilla Bot 2023-11-02 11:15:04 UTC

This is an autogenerated message for OBS integration:
This bug (1216496) was mentioned in
https://build.opensuse.org/request/show/1122203 Factory / squid