Ubuntu: Security Advisory (USN-77-1)

# SPDX-FileCopyrightText: 2022 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.1.12.2005.77.1");
  script_cve_id("CVE-2005-0173", "CVE-2005-0174", "CVE-2005-0175", "CVE-2005-0211");
  script_tag(name:"creation_date", value:"2022-08-26 07:43:23 +0000 (Fri, 26 Aug 2022)");
  script_version("2024-02-02T05:06:10+0000");
  script_tag(name:"last_modification", value:"2024-02-02 05:06:10 +0000 (Fri, 02 Feb 2024)");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_name("Ubuntu: Security Advisory (USN-77-1)");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2022 Greenbone AG");
  script_family("Ubuntu Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/ubuntu_linux", "ssh/login/packages", re:"ssh/login/release=UBUNTU4\.10");

  script_xref(name:"Advisory-ID", value:"USN-77-1");
  script_xref(name:"URL", value:"https://ubuntu.com/security/notices/USN-77-1");

  script_tag(name:"summary", value:"The remote host is missing an update for the 'squid' package(s) announced via the USN-77-1 advisory.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");

  script_tag(name:"insight", value:"A possible authentication bypass was discovered in the LDAP
authentication backend. LDAP ignores leading and trailing whitespace
in search filters. This could possibly be abused to bypass explicit
access controls or confuse accounting when using several variants of
the login name. (CAN-2005-0173)

Previous Squid versions were not strict enough while parsing HTTP
requests and responses. Various violations of the HTTP protocol, such
as multiple Content-Length header lines, invalid 'Carriage Return'
characters, and HTTP header names containing whitespace, led to cache
pollution and could possibly be exploited to deliver wrong content to
clients. (CAN-2005-0174)

Squid was susceptible to a cache poisoning attack called 'HTTP
response splitting', where false replies are injected in the HTTP
stream. This allowed malicious web servers to forge wrong cache
content for arbitrary web sites, which was then delivered to Squid
clients. (CAN-2005-0175)

The FSC Vulnerability Research Team discovered a buffer overflow in
the WCCP handling protocol. By sending an overly large WCCP packet, a
remote attacker could crash the Squid server, and possibly even
execute arbitrary code with the privileges of the 'proxy' user.
(CAN-2005-0211)");

  script_tag(name:"affected", value:"'squid' package(s) on Ubuntu 4.10.");

  script_tag(name:"solution", value:"Please install the updated package(s).");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-deb.inc");

release = dpkg_get_ssh_release();
if(!release)
  exit(0);

res = "";
report = "";

if(release == "UBUNTU4.10") {

  if(!isnull(res = isdpkgvuln(pkg:"squid", ver:"2.5.5-6ubuntu0.4", rls:"UBUNTU4.10"))) {
    report += res;
  }

  if(!isnull(res = isdpkgvuln(pkg:"squid-cgi", ver:"2.5.5-6ubuntu0.4", rls:"UBUNTU4.10"))) {
    report += res;
  }

  if(!isnull(res = isdpkgvuln(pkg:"squid-common", ver:"2.5.5-6ubuntu0.4", rls:"UBUNTU4.10"))) {
    report += res;
  }

  if(!isnull(res = isdpkgvuln(pkg:"squidclient", ver:"2.5.5-6ubuntu0.4", rls:"UBUNTU4.10"))) {
    report += res;
  }

  if(report != "") {
    security_message(data:report);
  } else if(__pkg_match) {
    exit(99);
  }
  exit(0);
}

exit(0);