Overview

The Squid web proxy cache may fail to handle empty Access Control Lists (ACLs) in the intended manner.

Description

Squid functions as a web proxy and cache application for a number of protocols. However, Squid Access Control List (ACL) routines may not parse an empty list as intended. An empty list may be interpreted as a nonexistent list rather than a list containing no members. This may or may not be the intended behavior.

---

Impact

Unintended access may be granted to all members instead of the intended result of access being denied to all members.

---

Solution

Apply an update

This flaw has been patched in Squid 2.5.STABLE8. More details are available in the Squid Bugzilla bug #1166.

---

Team Squid recommends:

Pay attention to warnings from “squid -k parse” and do not use configurations where there are warnings about access controls in production.

---

Vendor Information

260421

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Squid __ Affected

Notified: December 21, 2004 Updated: February 18, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This flaw has been patched in the current release version, Squid 2.5-STABLE8. More details are available in the Squid Bugzilla bug #1166.

Team Squid has created a patch for the previous release version of Squid (2.5-STABLE7): squid-2.5.STABLE7-empty_acls.patch

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23260421 Feedback>).

Ubuntu Linux __ Affected

Updated: February 21, 2005

Status

Affected

Vendor Statement

`===========================================================
Ubuntu Security Notice USN-84-1 February 21, 2005
squid vulnerabilities
CAN-2005-0194, CAN-2005-0446

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

squid

The problem can be corrected by upgrading the affected package to
version 2.5.5-6ubuntu0.5. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

When parsing the configuration file, squid interpreted empty Access
Control Lists (ACLs) without defined authentication schemes in a
non-obvious way. This could allow remote attackers to bypass intended
ACLs. (CAN-2005-0194)

A remote Denial of Service vulnerability was discovered in the domain
name resolution code. A faulty or malicious DNS server could stop the
Squid server immediately by sending a malformed IP address.
(CAN-2005-0446)

Source archives:

<http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.5.diff.gz>
Size/MD5: 273103 b227505fff84a15f636d1a40ef894a59
<http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.5.dsc>
Size/MD5: 652 03dda2b1794bee143c7bb2c907177dec
<http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5.orig.tar.gz>
Size/MD5: 1363967 6c7f3175b5fa04ab5ee68ce752e7b500

Architecture independent packages:

<http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.5-6ubuntu0.5_all.deb>
Size/MD5: 190542 18ac376117476528d04ecf34c39605c5

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

<http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.5_amd64.deb>
Size/MD5: 89972 6c0d1ca2955e65c617a0ffb9835fb7d0
<http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.5_amd64.deb>
Size/MD5: 812832 c4ae1fa8c10241c975be5a5ae713d259
<http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.5_amd64.deb>
Size/MD5: 71320 6426cdd50abe26ff32430f10384f98b6

i386 architecture (x86 compatible Intel/AMD)

<http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.5_i386.deb>
Size/MD5: 88484 048eee3bff6f8c1c2a27c422d8d02878
<http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.5_i386.deb>
Size/MD5: 728800 86015fa3f0e70ca114d50600779a5218
<http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.5_i386.deb>
Size/MD5: 70052 fa490312c320b567d0a2ab9aa86516a9

powerpc architecture (Apple Macintosh G3/G4/G5)

<http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.5_powerpc.deb>
Size/MD5: 89398 69752585a510d3e5fd35f3855d316354
<http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.5_powerpc.deb>
Size/MD5: 796142 ce07df2197a74e4da2325e39e153b38a
<http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.5_powerpc.deb>
Size/MD5: 70814 1074527b3d8dc744aa1b128713c902ba`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23260421 Feedback>).

CVSS Metrics

Group	Score	Vector
Base	0	AV:–/AC:–/Au:–/C:–/I:–/A:–
Temporal	0	E:ND/RL:ND/RC:ND
Environmental	0	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• [www.squid-cache.org/bugs/show_bug.cgi?id=1166 ](<www.squid-cache.org/bugs/show_bug.cgi?id=1166 >)
• [www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls ](<www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls >)
• [www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch ](<www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch >)
• <http://www.debian.org/security/2005/dsa-667&gt;
• <http://secunia.com/advisories/14157/&gt;
• <http://secunia.com/advisories/14343/&gt;

Acknowledgements

Thanks to Team Squid for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

CVE IDs:	CVE-2005-0194
Severity Metric:	0.27 Date Public: