Bug 1183436 – VUL-0: CVE-2020-25097: squid: HTTP Request Smuggling (SQUID-2020:11)

Bug 1183436 - (CVE-2020-25097) VUL-0: CVE-2020-25097: squid: HTTP Request Smuggling (SQUID-2020:11)

(CVE-2020-25097)
Summary:	VUL-0: CVE-2020-25097: squid: HTTP Request Smuggling (SQUID-2020:11)

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/279679
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-25097:8.6:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-03-12 08:01 UTC by Robert Frohl
Modified:	2022-10-18 09:38 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2021-03-12 08:01:57 UTC

Description

Due to improper input validation Squid is vulnerable to an HTTP
Request Smuggling attack.
Severity:

This problem allows a trusted client to perform HTTP Request
Smuggling and access services otherwise forbidden by Squid
security controls.

CVSS Score of 9.3
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:F/RL:O/RC:C/CR:H/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:X/MA:X&version=3.1
Updated Packages:
This bug is fixed by Squid versions 4.14 and 5.0.5.

In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:

http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch

If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:

All Squid with squid.conf containing "uri_whitespace deny" are
not vulnerable.

All Squid with squid.conf containing "uri_whitespace encode" are
not vulnerable.

All Squid-4.x up to and including 4.13 without uri_whitespace in
squid.conf are vulnerable.

All Squid-4.x up to and including 4.13 with uri_whitespace in
squid.conf configured to "allow" are vulnerable.

All Squid-4.x up to and including 4.13 with uri_whitespace in
squid.conf configured to "chop" are vulnerable.

All Squid-4.x up to and including 4.13 with uri_whitespace in
squid.conf configured to "strip" are vulnerable.

All Squid-5.x up to and including 5.0.4 without uri_whitespace
in squid.conf are vulnerable.

All Squid-5.x up to and including 5.0.4 with uri_whitespace in
squid.conf configured to "allow" are vulnerable.

All Squid-5.x up to and including 5.0.4 with uri_whitespace in
squid.conf configured to "chop" are vulnerable.

All Squid-5.x up to and including 5.0.4 with uri_whitespace in
squid.conf configured to "strip" are vulnerable.
Workaround:

Either,

Configure squid.conf with uri_whitespace deny

Or,

Configure squid.conf with uri_whitespace encode
Contact details for the Squid project:

For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.

If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.

For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.

For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:

This vulnerability was discovered by Jianjun Chen from ICSI,
Berkeley.

Fixed by Amos Jeffries of Treehouse Networks Ltd and
Alex Rousskov of The Measurement Factory.
Revision history:

2020-09-01 03:58:36 UTC Initial Report
2020-09-03 03:03:24 UTC CVE Allocation
2020-09-04 04:38:30 UTC Patches released

https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6

Comment 1 Robert Frohl 2021-03-12 08:05:19 UTC

patch
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch

Comment 2 Robert Frohl 2021-03-12 08:06:00 UTC

this seems to be an recently assigned CVE, got raised in bsc#1183422

Comment 3 Robert Frohl 2021-03-12 08:17:43 UTC

tracking as affected:

- SUSE:SLE-12-SP5:Update/squid
- SUSE:SLE-15:Update/squid

Could not find the affected code in older codestreams.

Comment 4 Gianluca Gabrielli 2021-05-11 14:20:56 UTC

Affected packages:

- SUSE:SLE-11-SP1:Update/squid3  3.1.23
- SUSE:SLE-12-SP2:Update/squid   3.5.21
- SUSE:SLE-12-SP5:Update/squid   4.13
- SUSE:SLE-15:Update/squid       4.13

Comment 8 Swamp Workflow Management 2021-06-02 19:27:39 UTC

SUSE-SU-2021:1838-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1171164,1171569,1183436,1185916,1185918,1185919,1185921,1185923
CVE References: CVE-2020-25097,CVE-2021-28651,CVE-2021-28652,CVE-2021-28662,CVE-2021-31806
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    squid-4.15-4.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2021-06-11 16:31:50 UTC

SUSE-SU-2021:1961-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1171164,1171569,1183436,1185916,1185918,1185919,1185921,1185923
CVE References: CVE-2020-25097,CVE-2021-28651,CVE-2021-28652,CVE-2021-28662,CVE-2021-31806
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    squid-4.15-5.26.1
SUSE Manager Retail Branch Server 4.0 (src):    squid-4.15-5.26.1
SUSE Manager Proxy 4.0 (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Server for SAP 15 (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Server 15-LTSS (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    squid-4.15-5.26.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    squid-4.15-5.26.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    squid-4.15-5.26.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    squid-4.15-5.26.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    squid-4.15-5.26.1
SUSE Enterprise Storage 6 (src):    squid-4.15-5.26.1
SUSE CaaS Platform 4.0 (src):    squid-4.15-5.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2021-06-16 19:59:04 UTC

openSUSE-SU-2021:0879-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1171164,1171569,1183436,1185916,1185918,1185919,1185921,1185923
CVE References: CVE-2020-25097,CVE-2021-28651,CVE-2021-28652,CVE-2021-28662,CVE-2021-31806
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    squid-4.15-lp152.2.9.1

Comment 11 Swamp Workflow Management 2021-07-11 13:22:21 UTC

openSUSE-SU-2021:1961-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1171164,1171569,1183436,1185916,1185918,1185919,1185921,1185923
CVE References: CVE-2020-25097,CVE-2021-28651,CVE-2021-28652,CVE-2021-28662,CVE-2021-31806
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    squid-4.15-5.26.1

Comment 13 Swamp Workflow Management 2022-03-15 14:31:05 UTC

SUSE-SU-2022:14914-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1183436,1185921
CVE References: CVE-2020-25097,CVE-2021-28651
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    squid3-3.1.23-8.16.37.18.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    squid3-3.1.23-8.16.37.18.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squid3-3.1.23-8.16.37.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Swamp Workflow Management 2022-07-13 22:15:59 UTC

SUSE-SU-2022:2392-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1183436,1185921,1200907
CVE References: CVE-2020-25097,CVE-2021-28651,CVE-2021-46784
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    squid-3.5.21-26.35.1
SUSE OpenStack Cloud 9 (src):    squid-3.5.21-26.35.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    squid-3.5.21-26.35.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    squid-3.5.21-26.35.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    squid-3.5.21-26.35.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    squid-3.5.21-26.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.