__________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2005:2 __________________________________________________________________ Advisory ID: SQUID-2005:2 Date: January 15, 2005 Summary: Denial of service by forged WCCP messages Affected versions: All versions up to and including 2.5.STABLE7 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2005_2.txt __________________________________________________________________ Problem Description: A bug exists in the code that parses WCCP messages. An attacker that sends a malformed WCCP messages, with a spoofed source address matching Squid's "home router" can crash Squid. __________________________________________________________________ Severity: The bug is important because it allows remote attackers to crash Squid, causing a disription in service. However, the bug is exploitable only if you have configured Squid to send WCCP messages to a router, and only if the attacker can send UDP messages with a forged source address. Sites that do not use WCCP are not vulnerable. __________________________________________________________________ Updated Packages: An individual patch for this issues can be found in our patch archive for version Squid-2.5.STABLE7: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_denial_of_service.patch If necessary, this short patch should also apply to previous versions of Squid. If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: Your installation is vulnerable if: (1) you have configured Squid to send WCCP messages to a router, and thus expect replies from a router, and (2) UDP messages with spoofed source addresses can reach Squid. For (1), look for the 'wccp_router' dirctive in your squid.conf file. Also, look for this line in cache.log: Accepting WCCP messages on port 2048, FD 15 For (2), whether or not your network accepts spoofed packets depends on the features and configuration of your networking equipment. __________________________________________________________________ Workarounds: If WCCP is not essential to your operation, disable it by commenting out the 'wccp_router' directive in squid.conf. You may also compile Squid without any WCCP code at all by giving the --disable-wccp option to the ./configure script. Finally, enable features, such as unicast reverse path forwarding (uRPF), on your routers and switches to prevent spoofed packets from reaching Squid. __________________________________________________________________ Contact details for the Squid project: For installation / upgrade support: Your first point of contact should be your binary package vendor. If your install is built from the original Squid sources, then the squid-users@squid-cache.org mailing list is your primary support point. (see for subscription details). For bug reporting, particularly security related bugs the squid-bugs@squid-cache.org mailing list is the appropriate forum. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. For non security related bugs, the squid bugzilla database should be used . __________________________________________________________________ Credits: The vulnerability was reported by infamous41md. __________________________________________________________________ Revision history: 2005-01-15 04:20 GMT Initial release of this document 2010-09-16 07:05 GMT Reference link updates __________________________________________________________________ END