Due to an out of bounds memory access Squid is vulnerable to an
information leak vulnerability when processing WCCPv2 messages.
Severity:
This problem allows a WCCPv2 sender to corrupt Squids list of
known WCCP routers and divert client traffic to attacker
controlled routers.
This attack is limited to Squid proxy with WCCPv2 enabled and
IP spoofing of a router IP address configured as trusted in
squid.conf.
CVSS Score of 7.7
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N/E:X/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:H/MPR:N/MUI:X/MS:U/MC:H/MI:H/MA:X&version=3.1
Updated Packages:
This bug is fixed by Squid versions 4.17 and 5.2.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:
http://www.squid-cache.org/Versions/v4/SQUID-2020_12.patch
Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2020_12.patch
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
Determining if your version is vulnerable:
All Squid built with --disable-wccpv2 are not vulnerable.
All Squid-3.x up to and including 3.5.28 built with
--enable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-3.x up to and including 3.5.28 built without
--disable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-4.x up to and including 4.16 built with
--enable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-4.x up to and including 4.16 built without
--disable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-5.x up to and including 5.1 built with
--enable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-5.x up to and including 5.1 built without
--disable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
Workaround:
Either,
The following network security Best Practices will greatly
restrict the ability of any attacker utilizing this
vulnerability. They can be considered workarounds for this
issue:
-
Use Private IP address for control communications (eg WCCPv2)
with routers.
-
Firewall restriction of UDP traffic on port 2048 and any
other UDP ports used for WCCP(v2) control messages to only
permit known devices to communicate with WCCP(v2).
Note that ports used by clients and diverted by WCCP (eg 80
or 443) are not relevant.
-
Ensure the network implements BCP 38 spoofing protection.
Include protection against LAN traffic spoofing as much as
possible.
See also http://www.bcp38.info and https://tools.ietf.org/html/bcp38.
Or,
Build Squid with --disable-wccpv2
Or,
Remove all lines for wccp2_* directives from squid.conf.
The default configuration is not to enable WCCPv2.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is
your primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Lyu working with Trend
Micro Zero Day Initiative.
Fixed by Amos Jeffries of Treehouse Networks Ltd.
Revision history:
2020-08-17 10:43:36 UTC Initial Report
2021-02-09 00:00:00 UTC Advisory Release by ZDI
2021-10-03 00:00:00 UTC Packages Released
END
Due to an out of bounds memory access Squid is vulnerable to an
information leak vulnerability when processing WCCPv2 messages.
Severity:
This problem allows a WCCPv2 sender to corrupt Squids list of
known WCCP routers and divert client traffic to attacker
controlled routers.
This attack is limited to Squid proxy with WCCPv2 enabled and
IP spoofing of a router IP address configured as trusted in
squid.conf.
CVSS Score of 7.7
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N/E:X/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:H/MPR:N/MUI:X/MS:U/MC:H/MI:H/MA:X&version=3.1
Updated Packages:
This bug is fixed by Squid versions 4.17 and 5.2.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:
http://www.squid-cache.org/Versions/v4/SQUID-2020_12.patch
Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2020_12.patch
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
Determining if your version is vulnerable:
All Squid built with --disable-wccpv2 are not vulnerable.
All Squid-3.x up to and including 3.5.28 built with
--enable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-3.x up to and including 3.5.28 built without
--disable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-4.x up to and including 4.16 built with
--enable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-4.x up to and including 4.16 built without
--disable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-5.x up to and including 5.1 built with
--enable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
All Squid-5.x up to and including 5.1 built without
--disable-wccpv2 and configured with wccp2_router in squid.conf
are vulnerable.
Workaround:
Either,
The following network security Best Practices will greatly
restrict the ability of any attacker utilizing this
vulnerability. They can be considered workarounds for this
issue:
Use Private IP address for control communications (eg WCCPv2)
with routers.
Firewall restriction of UDP traffic on port 2048 and any
other UDP ports used for WCCP(v2) control messages to only
permit known devices to communicate with WCCP(v2).
Note that ports used by clients and diverted by WCCP (eg 80
or 443) are not relevant.
Ensure the network implements BCP 38 spoofing protection.
Include protection against LAN traffic spoofing as much as
possible.
See also http://www.bcp38.info and https://tools.ietf.org/html/bcp38.
Or,
Build Squid with --disable-wccpv2
Or,
Remove all lines for wccp2_* directives from squid.conf.
The default configuration is not to enable WCCPv2.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is
your primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Lyu working with Trend
Micro Zero Day Initiative.
Fixed by Amos Jeffries of Treehouse Networks Ltd.
Revision history:
2020-08-17 10:43:36 UTC Initial Report
2021-02-09 00:00:00 UTC Advisory Release by ZDI
2021-10-03 00:00:00 UTC Packages Released
END