__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2019:1 __________________________________________________________________ Advisory ID: SQUID-2019:1 Date: July 12, 2019 Summary: Denial of Service issue in cachemgr.cgi Affected versions: Squid 4.x -> 4.7 Fixed in version: Squid 4.8 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2019_1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12854 __________________________________________________________________ Problem Description: Due to incorrect string termination the cachemgr.cgi may access unallocated memory. On systems with memory access protections this can result in the CGI process terminating unexpectedly. Resulting in a denial of service for all clients using it. __________________________________________________________________ Severity: This problem allows a remote attacker with access to the Squid manager API to perform a denial of service on other clients. This problem is limited to the cachemgr CGI binary. Web servers which run per-client instances of CGI tools are affected by the issue, but the denial of service is not able to affect other clients. __________________________________________________________________ Updated Packages: This bug is fixed by Squid version 4.8. In addition, patches addressing this problem for the stable releases can be found in our patch archives: Squid 4: If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: All cachemgr.cgi 3.x and older versions are not vulnerable. All cachemgr.cgi 4.x versions up to and including 4.7 are vulnerable. All Squid-4.7 and older versions accessed via the http:// URL manager interface are not vulnerable. To determine the version and interface, look at the footer of manager reports for the "Generated by" string. __________________________________________________________________ Workarounds: Either; Convert to exclusively using the HTTP manager interface until cachemgr.cgi can be upgraded to a fixed build. Or; Deny all access with 'manager' ACL in squid.conf. This completely removes the vulnerability at cost of reduced management and monitoring capabilities. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If your install and build Squid from the original Squid sources then the squid-users@lists.squid-cache.org mailing list is your primary support point. For subscription details see . For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the squid-bugs@lists.squid-cache.org mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. __________________________________________________________________ Credits: This vulnerability was discovered by Alex Rousskov of The Measurement Factory. Fixed by Amos Jeffries from Treehouse Networks Ltd. __________________________________________________________________ Revision history: 2019-04-10 21:13:50 UTC Initial Report 2019-05-18 09:43:41 UTC Patch Released 2019-06-16 10:52:51 UTC CVE Assignment 2019-07-12 13:00:00 UTC Advisory Released __________________________________________________________________ END