__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2010:1 __________________________________________________________________ Advisory ID: SQUID-2010:1 Date: January 28, 2010 Summary: Denial of Service issue in DNS handling Affected versions: Squid 2.x -> 2.6.STABLE24, Squid 2.7 -> 2.7.STABLE8, Squid 3.0 -> 3.0.STABLE22, Squid 3.1 -> 3.1.0.15 Fixed in version: Squid 2.6.STABLE24, 2.7.STABLE8 Squid 3.0.STABLE23, 3.1.0.16 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2010_1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0308 __________________________________________________________________ Problem Description: Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted DNS packets. __________________________________________________________________ Severity: This problem allows any trusted client or external server who can determine the squid receiving port to perform a short-term denial of service attack on the Squid service. __________________________________________________________________ Updated Packages: This bug is fixed by Squid versions 2.6.STABLE24, 2.7.STABLE8, 3.0.STABLE23 and 3.1.0.16. In addition, patches addressing these problems can be found In our patch archives. Squid 2.x: http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch Squid 3.0: http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch Squid 3.1: http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-9853.patch If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: Squid still using the obsolete dnsserver are not vulnerable. The ignore_unknown_nameservers option affects the severity of this vulnerability. When set to "on" (the default) risk is low. When set to "off" the vulnerability risk is increased. All unpatched Squid-3.0 versions up to and including 3.0.STABLE22 are vulnerable. All unpatched Squid-3.1 versions up to and including 3.1.0.15 are vulnerable. All unpatched Squid-2.7 versions up to and including 2.7.STABLE8 are vulnerable. All unpatched Squid-2.x versions up to and including 2.6.STABLE24 are vulnerable. __________________________________________________________________ Workarounds: Using all of the following steps are required to protect a vulnerable Squid from this and other forms of DNS attack. * Ensuring the ignore_unknown_nameservers is turned on. * Ensuring that DNS packets cannot be sent to Squid from untrusted nameservers or other machines. The most secure implementation of these requirements is to use a nameserver running on the localhost IP dedicated for secure use by Squid and any other services on the Squid machine. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@squid-cache.org mailing list is your primary support point. For subscription details see . For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the squid-bugs@squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: Zero-Day attributed to work by Fabian Yamaguchi. The vulnerability was reported by Tomas Hoger of RedHat. __________________________________________________________________ Revision history: 2010-01-14 18:05 GMT Initial Report 2010-01-16 03:51 GMT Patches released. 2010-02-01 04:49 GMT Squid-3 bundled fixes and advisory released. 2010-02-02 07:42 GMT Updated 3.0 patch and bundle 2010-02-06 02:35 GMT CVE-2010-0308 reference added. 2010-09-16 07:05 GMT Reference link updates 2011-04-12 02:05 GMT Updated info on 2.6 and 2.7 being patched __________________________________________________________________ END