__________________________________________________________________ 

      Squid Proxy Cache Security Update Advisory SQUID-2002:3 
__________________________________________________________________ 

Advisory ID: SQUID-2002:3 
Date: July 3, 2002 
Summary: Squid-2.4.STABLE7 released to address a 
                        number of security related issues. 
Affected versions: Squid-2.x up to and including 2.4.STABLE6 
__________________________________________________________________ 

       http://www.squid-cache.org/Advisories/SQUID-2002_3.txt 
__________________________________________________________________ 

Problem Description: 

 squid-2.4.STABLE7 has been released to address a number of 
 security issues in Squid and related software. All users of the 
 Squid HTTP Proxy are strongly encouraged to upgrade. 

 Security related changes in the 2.4.STABLE7 release: 

 - Several bugfixes and cleanup of the Gopher client, both 
   to correct some security issues and to make Squid properly 
   render certain Gopher menus. 
 - Security fixes in how Squid parses FTP directory listings into 
   HTML 
 - FTP data channels are now sanity checked to match the address 
   of the requested FTP server. This to prevent theft or injection 
   of data. See the new ftp_sanitycheck directive if this sanity 
   check is not desired. 
 - The MSNT auth helper has been updated to v2.0.3+fixes for 
   buffer overflow security issues found in this helper. 
 - A security issue in how Squid forwards proxy authentication 
   credentials has been fixed 

 Other changes in the 2.4.STABLE7 release: 

 - Squid now correctly rejects any requests using transfer- 
   encoding. Squid is a HTTP/1.0 proxy and as such does not 
   implement or support transfer-encoding. 
 - Minor changes to support Apple MAC OS X and some other 
   platforms more easily. 
 - The client -T option has been implemented 
 - HTCP related bugfixes in "squid -k reconfigure" 

 For more details on the changes see the descriptions in our 
 patch archive for version Squid-2.4.STABLE6: 

   http://www.squid-cache.org/Versions/v2/2.4/bugs/ 

------------------------------------------------------------------ 

Severity: 

 It is believed that several of the Gopher bug and the FTP 
 directory parsing related bugs can be exploited to allow remote 
 execution of code. 

 The user executing the attack must be allowed to use the proxy 
 for any potential attack to be successful, but it is believed 
 that a remote attacker can use a small amount of social 
 engineering to make an attack without direct access to the proxy. 

 The third issue relating to FTP data channels is minor in nature 
 in most installations, but there may be unfortunate interactions 
 with firewalling policies etc making it a more severe issue than 
 normal. 

 The MSNT auth helper issue is believed to possibly allow remote 
 execution of code in certain configurations. 

 The issue in forwarding of proxy authentication credentials may 
 expose your users private proxy login+password to selected 
 external web sites depending on your configuration. 

__________________________________________________________________ 

Updated Packages: 

 The Squid-2.4.STABLE7 release contains fixes for all these 
 problems. You can download the Squid-2.4.STABLE7 release from 

   ftp://ftp.squid-cache.org/pub/squid-2/STABLE/ 
   http://www.squid-cache.org/Versions/v2/2.4/ 

 or the mirrors (may take a while before all mirrors are updated). 
 For a list of mirror sites see 

   http://www.squid-cache.org/Mirrors/ftp-mirrors.html 
   http://www.squid-cache.org/Mirrors/http-mirrors.html 

 Individual patches to the mentioned issues can be found from our 
 patch archive for version Squid-2.4.STABLE6 

   http://www.squid-cache.org/Versions/v2/2.4/bugs/ 

 The patches should also apply with only a minimal effort to 
 earlier Squid 2.4 versions if required. 

 If you are using a prepackaged version of Squid then please 
 refer to the package vendor for availability information on 
 updated packages. 

__________________________________________________________________ 

Determining if your version is vulnerable: 

 To determine which version of Squid you are using, run the command 

    squid -v 

 You are likely to be vulnerable to these issues if you are 
 running version 2.4.STABLE6 or earlier. 

 If you are using a binary or otherwise pre-packaged version 
 please verify with your vendor on which versions are affected as 
 some vendors ship earlier versions with the needed patches 
 applied. Note that unless you have upgraded to a version 
 released after 2002-07-01 you are most likely vulnerable to 
 these issues. 

 There is no easy means to determine if your version is affected 
 other than by the Squid version number. 

 You may be vulnerable to the MSNT auth issue if your squid.conf 
 file contains the directive 

   authenticate_program /usr/local/squid/libexec/squid/msnt_auth 

 and you have not upgraded your copy of msnt_auth to a corrected 
 version 

 Note: msnt_auth is sometimes installed as msntauth, and the path 
 may differ depending on the installation method. 

__________________________________________________________________ 

Other versions of Squid: 

 Versions prior to the 2.4 series are deprecated, please update 
 to Squid-2.4.STABLE7 if you are using a version older than 2.4. 

 Users of unreleased versions of squid (2.6.DEVEL or 2.5.PRE 
 versions) should run the most recent version available to ensure 
 that security issues arising during the development are addressed 
 as quickly as possible. Furthermore, unreleased versions should 
 not be used in a production environment. 

__________________________________________________________________ 

Workarounds: 

 We recommend that you upgrade rather than try to workaround the 
 issues by configuration. To most of the issues there is no easy 
 workarounds that does not severely impact the functionality. 

 The Gopher and FTP issues can be worked around by denying proxying 
 of ftp:// or gopher:// URLs, for example by inserting the following 
 lines at the top of your squid.conf 

   # Workaround for bugs in Squid-2.4.STABLE6 and earlier 
   acl workaround proto FTP Gopher 
   http_access deny workaround 

 The authentication credentials issue only applies if you are using 
 proxy authentication, allow users access to some sites without 
 the need to authenticate and you do not fully trust these sites or 
 the network between these sites and the proxy. To work around the 
 problem make sure your users needs to authenticate on all sites or 
 none. 

 If you are using the msnt_auth authentication helper then you are 
 only vulnerable if you are using the allowusers or denyusers 
 extension of msnt_auth. To work around this defiance of msnt_auth 
 you can use the proxy_auth acl type to specify the valid users 
 and delete the allowusers and denyusers files. 

__________________________________________________________________ 

Contact details for the squid project: 

 For installation / upgrade support: Your first point of contact 
 should be your binary package vendor. 

 If your install is built from the original squid sources, then 
 the squid-users@squid-cache.org mailing list is your primary 
 support point. (see <http://www.squid-cache.org/mailing-lists.html> 
 for subscription details). 

 For bug reporting, particularly security related bugs the 
 squid-bugs@squid-cache.org mailing list is the appropriate forum. 
 It's a closed list (though anyone can post) and security related 
 bug reports are treated in confidence until the impact has been 
 established. For non security related bugs, the squid bugzilla 
 database should be used <http://www.squid-cache.org/bugs/>. 

__________________________________________________________________ 

Credits: 

 Olaf Kirch (formerly @ Caldera), for reporting the FTP and Gopher 
 related issues 

 MARA Systems AB, for sponsoring the development of patches to the 
 FTP, Gopher, authentication and transfer encoding issues. 

 Duane Wessels, for fixes to the MSNT auth helper 

__________________________________________________________________ 

Revision history: 

 2002-07-03 21:10 GMT Initial release 
__________________________________________________________________ 
END