Due to use of a potentially dangerous function Squid and the
default certificate validation helper are vulnerable to a Denial
of Service attack when processing TLS certificates.
Severity:
This problem allows a trusted client to perform Denial of Service
when opening TLS connections with a server for HTTPS.
This problem allows a trusted client to perform Denial of Service
when opening TLS connections to a server for SSL-Bump intercepted
transactions.
This attack is limited to Squid built with OpenSSL features and
opening peer or server connections for HTTPS traffic and SSL-Bump
server handshakes.
CVSS Score of 8.3
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:X/IR:X/AR:H/MAV:N/MAC:H/MPR:N/MUI:X/MS:C/MC:N/MI:N/MA:H&version=3.1
Updated Packages:
This bug is fixed by Squid versions 4.12 and 5.0.3.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:
http://www.squid-cache.org/Versions/v4/SQUID-2020_6.patch
Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2020_6.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
All Squid-2.x up to and including 2.7.STABLE9 are not vulnerable.
All Squid-3.x up to and including 3.4.14 built without
--enable-openssl are not vulnerable.
All Squid-3.x up to and including 3.4.14 built with
--disable-openssl are not vulnerable.
All Squid-3.x up to and including 3.4.14 built with
--enable-openssl are vulnerable.
All Squid-3.5 up to and including 3.5.28 built without
--with-openssl are not vulnerable.
All Squid-3.5 up to and including 3.5.28 built with
--without-openssl are not vulnerable.
All Squid-3.5 up to and including 3.5.28 built with
--with-openssl are vulnerable.
All Squid-4.x up to and including 4.11 built without
--with-openssl are not vulnerable.
All Squid-4.x up to and including 4.11 built with
--without-openssl are not vulnerable.
All Squid-4.x up to and including 4.11 built with --with-openssl
are vulnerable.
Squid-5.0.1 and 5.0.2 built without --with-openssl are not
vulnerable.
Squid-5.0.1 and 5.0.2 built with --without-openssl are not
vulnerable.
Squid-5.0.1 and 5.0.2 built with --with-openssl are vulnerable.
Workaround:
-
For interception proxies using SSL-Bump functionality there is
no workaround.
-
For reverse-proxy the GnuTLS support available in Squid-4 may
provide sufficient functionality. The vulnerable certificate
validator helper feature is not supported yet by GnuTLS builds.
-
Other installations just needing to relay HTTPS do not need
OpenSSL support and should be able to run a build that does not
have --with-openssl.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Christof Gerber and Mario Galli of Open Systems AG.
Fixed by Christos Tsantilas of The Measurement Factory.
Revision history:
2020-03-04 09:31:23 UTC Initial Report
2020-05-15 04:54:54 UTC Patches Released
END
Due to use of a potentially dangerous function Squid and the
default certificate validation helper are vulnerable to a Denial
of Service attack when processing TLS certificates.
Severity:
This problem allows a trusted client to perform Denial of Service
when opening TLS connections with a server for HTTPS.
This problem allows a trusted client to perform Denial of Service
when opening TLS connections to a server for SSL-Bump intercepted
transactions.
This attack is limited to Squid built with OpenSSL features and
opening peer or server connections for HTTPS traffic and SSL-Bump
server handshakes.
CVSS Score of 8.3
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:X/IR:X/AR:H/MAV:N/MAC:H/MPR:N/MUI:X/MS:C/MC:N/MI:N/MA:H&version=3.1
Updated Packages:
This bug is fixed by Squid versions 4.12 and 5.0.3.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:
http://www.squid-cache.org/Versions/v4/SQUID-2020_6.patch
Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2020_6.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
All Squid-2.x up to and including 2.7.STABLE9 are not vulnerable.
All Squid-3.x up to and including 3.4.14 built without
--enable-openssl are not vulnerable.
All Squid-3.x up to and including 3.4.14 built with
--disable-openssl are not vulnerable.
All Squid-3.x up to and including 3.4.14 built with
--enable-openssl are vulnerable.
All Squid-3.5 up to and including 3.5.28 built without
--with-openssl are not vulnerable.
All Squid-3.5 up to and including 3.5.28 built with
--without-openssl are not vulnerable.
All Squid-3.5 up to and including 3.5.28 built with
--with-openssl are vulnerable.
All Squid-4.x up to and including 4.11 built without
--with-openssl are not vulnerable.
All Squid-4.x up to and including 4.11 built with
--without-openssl are not vulnerable.
All Squid-4.x up to and including 4.11 built with --with-openssl
are vulnerable.
Squid-5.0.1 and 5.0.2 built without --with-openssl are not
vulnerable.
Squid-5.0.1 and 5.0.2 built with --without-openssl are not
vulnerable.
Squid-5.0.1 and 5.0.2 built with --with-openssl are vulnerable.
Workaround:
For interception proxies using SSL-Bump functionality there is
no workaround.
For reverse-proxy the GnuTLS support available in Squid-4 may
provide sufficient functionality. The vulnerable certificate
validator helper feature is not supported yet by GnuTLS builds.
Other installations just needing to relay HTTPS do not need
OpenSSL support and should be able to run a build that does not
have --with-openssl.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Christof Gerber and Mario Galli of Open Systems AG.
Fixed by Christos Tsantilas of The Measurement Factory.
Revision history:
2020-03-04 09:31:23 UTC Initial Report
2020-05-15 04:54:54 UTC Patches Released
END