Squid Proxy Cache Multiple Vulnerabilities Fixed by 3.5.18 and 4.0.10


Description   (#Several vulnerabilities were reported in Squid proxy cache:#- CVE-2016-4553: improper Host header handling when absolute URI is provided. A remote attacker could exploit it by sending a specially crafted HTTP request in order to perform cache poisoning attacks. This vulnerability is located in the "client_side.cc" source file##- CVE-2016-4554: improper input validation. A remote attacker could exploit it by sending an HTTP request with a specially crafted HTTP Host header in order to bypass intended same-origin restrictions and cache-poisoning attacks. This vulnerability is located in the "mime_header.cc" source file##- CVE-2016-4555: improper reference counting. A remote attacker could exploit it via specially crafted ESI (Edge Side Includes) responses in order to crash the application. This vulnerability is located in the "client_side_request.cc" source file##- CVE-2016-4556: double free. A remote attacker could exploit it via a specially crafted ESI (Edge Side Includes) response in order to crash the application. This vulnerability is located in the "Esi.cc" source file.##The squid packages provided by Debian Wheezy 7 are vulnerable (CVE-2016-4554).##The squid3 packages provided by Debian Jessie 8 are vulnerable.)
     
Vulnerable Products   Vulnerable OS:
CentOS (Red Hat) - 6, 7Enterprise Linux 6 (Red Hat) - Server, WorkstationEnterprise Linux 7 (Red Hat) - Server, WorkstationFedora (Red Hat) - 23, 24FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 7, 8Linux Enterprise Server (SUSE) - 11 SP4, 12 SP1Linux Server (Oracle) - 6, 7openSUSE (SUSE) - Leap 42.1Ubuntu Linux (Ubuntu) - 12.04 LTS, 14.04 LTS, 15.10, 16.04 LTSVulnerable Software:
Squid (Squid) - 1.0, 2.0, 2.1, 2.2, 2.2.5, ..., 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9
     
Solution   Fixed squid packages for openSUSE Leap 42.1 are available.
     
CVE   CVE-2016-4556
CVE-2016-4555
CVE-2016-4554
CVE-2016-4553
     
References   - SQUID-2016:7 : Cache poisoning issue in HTTP Request handling
http://www.squid-cache.org/Advisories/SQUID-2016_7.txt
- SQUID-2016:8 : Header smuggling issue in HTTP Request processing
http://www.squid-cache.org/Advisories/SQUID-2016_8.txt
- SQUID-2016:9 : Multiple Denial of Service issues in ESI Response processing
http://www.squid-cache.org/Advisories/SQUID-2016_9.txt
- Debian Security Tracker : squid and squid3
https://security-tracker.debian.org/tracker/CVE-2016-4553
https://security-tracker.debian.org/tracker/CVE-2016-4554
https://security-tracker.debian.org/tracker/CVE-2016-4555
https://security-tracker.debian.org/tracker/CVE-2016-4556
- VuXML : squid -- multiple vulnerabilities
http://www.vuxml.org/freebsd/25e5205b-1447-11e6-9ead-6805ca0b3d42.html
- DLA 478-1 : squid3 security update
https://lists.debian.org/debian-lts-announce/2016/05/msg00028.html
- RHSA-2016:1139 : squid security update
http://rhn.redhat.com/errata/RHSA-2016-1139.html
- CESA-2016:1139 : Moderate CentOS 7 squid Security Update
http://lists.centos.org/pipermail/centos-announce/2016-May/021900.html
- ELSA-2016-1138 : Oracle Linux 6 squid security update
http://oss.oracle.com/pipermail/el-errata/2016-May/006097.html
- ELSA-2016-1140 : Oracle Linux 6 squid34 security update
http://oss.oracle.com/pipermail/el-errata/2016-May/006098.html
- ELSA-2016-1139 : Oracle Linux 7 squid security update
http://oss.oracle.com/pipermail/el-errata/2016-May/006095.html
- RHSA-2016:1138 : squid security update
http://rhn.redhat.com/errata/RHSA-2016-1138.html
- CESA-2016:1138 : Moderate CentOS 6 squid Security Update
http://lists.centos.org/pipermail/centos-announce/2016-May/021896.html
- CESA-2016:1140 : Moderate CentOS 6 squid34 Security Update
http://lists.centos.org/pipermail/centos-announce/2016-May/021897.html
- RHSA-2016:1140 : squid34 security update
http://rhn.redhat.com/errata/RHSA-2016-1140.html
- USN-2995-1 : Squid vulnerabilities
http://www.ubuntu.com/usn/usn-2995-1/
- DSA 3625-1 : squid3 security update https://lists.debian.org/debian-security-announce/2016/msg00203.html
- FEDORA-2016-b3b9407940 : Fedora 23 Update: squid-3.5.10-4.fc23
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUSMYOQLTNGZMOOC7JH4PUKJJAZCFN2Y/
- FEDORA-2016-95edf19d8a : Fedora 24 Update: squid-3.5.19-2.fc24
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDA22FZ3PENTZHB636VUSXD3FPICUKKQ/
- DLA 558-1 : squid security update
https://lists.debian.org/debian-lts-announce/2016/07/msg00019.html
- SUSE-SU-2016:1996-1 : important: Security update for squid3
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
- SUSE-SU-2016:2008-1 : Security update for squid
http://lists.suse.com/pipermail/sle-security-updates/2016-August/002194.html
- openSUSE-SU-2016:2081-1 : Security update for squid
https://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
HTTP Request Smuggling : HTTP command found in header
3.2.0
HTTP Request Smuggling : Content-Length and Transfer-Encoding: chunked fields in header
3.2.0
HTTP Request Smuggling : suspicious syntax using HTTP keyword
3.2.0
HTTP Request Smuggling : multiple Content-Length fields
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-05-06 

 Target Type 
Server 

 Possible exploit 
Remote