Advisory ROSA-SA-2021-1976

Software: squid 3.5.20
OS: Cobalt 7.9

CVE-ID: CVE-2016-10003
CVE-Crit: HIGH
CVE-DESC: An incorrect comparison of HTTP request headers in Squid HTTP Proxy 3.5.0.0.1-3.5.22 and 4.0.1-4.0.16 causes Collapsed Forwarding to incorrectly identify some private responses as suitable for delivery to multiple clients.
CVE-STATUS: Default
CVE-REV: default

CVE-ID: CVE-2018-19131
CVE-Crit: MEDIUM
CVE-DESC: Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP error page (S) generation for certificate errors.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2018-19132
CVE-Crit: MEDIUM
CVE-DESC: Squid before 4.4, when SNMP is enabled, allows denial of service (memory leak) via SNMP packet.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2019-12526
CVE-Crit: CRITICAL
CVE-DESC: An issue was discovered in Squid prior to version 4.9. The processing of URN responses in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to a URN request, Squid cannot ensure that the response fits in the buffer. This results in a heap-based data overflow controlled by an attacker.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-12528
CVE-Crit: HIGH
CVE-DESC: An issue was discovered in Squid prior to 4.10. This allows an engineered FTP server to initiate the disclosure of sensitive information from dynamic memory, such as information related to other users’ sessions or non-Squid processes.
CVE-STATUS: Default
CVE-REV: default

CVE-ID: CVE-2019-12529
CVE-Crit: MEDIUM
CVE-DESC: The issue was found in Squid 2.x - 2.7.STABLE9, 3.x - 3.5.28, and 4.x - 4.7. When Squid is configured to use basic authentication, the Proxy-Authorization header is parsed by uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to make sure that the calculated length does not exceed the input buffer size. This results in decoding and contiguous memory. An attacker cannot get the decoded data unless the Squid maintainer has configured the display of usernames on error pages.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-12523
CVE-Crit: CRITICAL
CVE-DESC: An issue was discovered in Squid before version 4.9. When processing a URN request, the corresponding HTTP request is executed. This HTTP request does not pass the access checks that incoming HTTP requests pass. This has the effect of bypassing all access checks and allowing access to restricted HTTP servers, e.g. an attacker can connect to HTTP servers that only listen to localhost.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2019-12524
CVE-Crit: CRITICAL
CVE-DESC: An issue was discovered in Squid prior to version 4.7. When processing requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which provides detailed server information intended for maintenance personnel. This rule is implemented via url_regex. The url_regex rule URL handler decodes the incoming request. This allows an attacker to encode their URL to bypass the url_regex check and access the blocked resource.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2019-12521
CVE-Crit: MEDIUM
CVE-DESC: An issue was discovered in Squid before version 4.7. When Squid analyzes ESI, it stores ESI items in ESIContext. ESIContext contains a buffer to store a stack of ESIElements. When a new ESIElement is analyzed, it is added via addStackElement. The addStackElement has a check for the number of elements in this buffer, but it is disabled at 1, which results in a heap overflow of 1 element. The overflow is in the same structure, so it cannot affect neighboring memory blocks and thus just causes a failure during processing.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-12520
CVE-Crit: HIGH
CVE-DESC: The issue was discovered in Squid through 4.7 and 5. When Squid receives a request, it checks its cache to see if it can handle the response. It does this by creating an MD5 hash of the absolute URL of the request. If it is found, it serves the request. The absolute URL may include decoded UserInfo (username and password) for certain protocols. This decoded information is appended to the domain. This allows an attacker to specify a username with special characters to separate the domain and treat the rest of the URL as a path or query string. An attacker can first make a request to their domain using the encoded username, and then when a request comes in for the target domain that is decoded with the exact URL, it will serve the attacker HTML instead of the actual HTML. On Squid servers that also act as reverse proxies, this allows the attacker to access features that only reverse proxies can use, such as ESI.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2019-12522
CVE-Crit: MEDIUM
CVE-DESC: An issue was discovered in Squid before version 4.7. When Squid is started as root, it spawns its child processes as a smaller user, the default user is nobody. This is done by calling leave_suid. leave_suid leaves the saved UID set to 0. This makes it trivial for an attacker who has compromised a child process to elevate its privileges to root.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-18677
CVE-Crit: MEDIUM
CVE-DESC: An issue was found in Squid 3.x and 4.x through 4.8 when using the append_domain parameter (because the appended characters do not interact properly with hostname length restrictions). Due to improper handling of the message, it can incorrectly redirect traffic to sources it should not be delivered to.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-18678
CVE-Crit: MEDIUM
CVE-DESC: An issue has been discovered in Squid 3.x and 4.x through 4.8. This allows attackers to pass HTTP requests through the interface software to a Squid instance that shares the HTTP request pipeline differently. The resulting Response messages corrupt caches (between the client and Squid) with content controlled by the attacker to arbitrary URLs. The software consequences are isolated between the attacker and Squid. It does not affect Squid itself or any upstream servers. The problem is due to the request header containing spaces between the header name and the colon.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-18679
CVE-Crit: HIGH
CVE-DESC: The issue was discovered in Squid 2.x, 3.x and 4.x through 4.8. Due to improper data management, it is vulnerable to information disclosure when processing HTTP digest authentication. Nonce markers contain the raw byte value of a pointer located in allocated heap memory. This information reduces ASLR defenses and can help attackers isolate memory regions for remote code execution attacks.
CVE-STATUS: Default
CVE-REV: Default

CVE-ID: CVE-2019-18860
CVE-Crit: MEDIUM
CVE-DESC: Squid before 4.9, when certain web browsers are used, does not properly handle HTML in the host parameter (also known as hostname) in cachemgr.cgi.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2019-18676
CVE-Crit: HIGH
CVE-DESC: An issue has been found in Squid 3.x and 4.x through 4.8. Improper input validation causes a heap-based buffer overflow, which can cause a denial of service for all clients using the proxy. The severity is high because this vulnerability occurs before normal security checks; any remote client that can contact the proxy port can easily perform an attack through the generated URI scheme.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-15811
CVE-Crit: MEDIUM
CVE-DESC: The issue was found in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP request separation attacks can be successful for HTTP and HTTPS traffic. This results in cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any subsequent caches with content from an arbitrary source. Squid uses string search instead of analyzing the Transfer-Encoding header to find fragmented encoding. This allows an attacker to hide a second request within Transfer-Encoding: it is interpreted by Squid as fragmented and split into a second request delivered in the upstream direction. Squid will then send two different responses to the client, corrupting all downstream caches.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-15810
CVE-Crit: MEDIUM
CVE-DESC: The issue was found in Squid before 4.13 and 5.x before 5.0.4. Due to improper data validation, HTTP request smuggling attacks can be successful against HTTP and HTTPS traffic. This results in cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any subsequent caches with content from an arbitrary source. When configured for simplified header parsing (the default), Squid retransmits headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the specified frame length will be ignored by Squid (allowing the conflicting length from another Content-Length header to be used) but retransmitted upstream.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-14058
CVE-Crit: HIGH
CVE-DESC: The issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to the use of a potentially dangerous feature, Squid and the default certificate validation helper are vulnerable to denial of service when opening a TLS connection to an attacker-controlled server for HTTPS. This is because unrecognized error values are mapped to NULL, but later code expects each error value to map to a valid error string.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-15049
CVE-Crit: HIGH
CVE-DESC: An issue was found in http / ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. Request Smuggling and Poisoning attack can be successful against an HTTP cache. The client sends an HTTP request with a Content-Length header containing "+ "-"or an unusual shell space character prefix to the length field value.
CVE-STATUS: Default
CVE-REV: default

CVE-ID: CVE-2020-24606
CVE-Crit: HIGH
CVE-DESC: Squid before 4.13 and 5.x before 5.0.4 allows a trusted partner to perform a denial of service using all available CPU cycles while processing a generated Cache Digest response message. This only occurs when cache_peer is used with the cache digests function. The problem exists because the livelocking peerDigestHandleReply () in peer_digest.cc does not handle EOF correctly.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-25097
CVE-Crit: HIGH
CVE-DESC: An issue was found in Squid prior to versions 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to smuggle HTTP requests and access services that are otherwise denied by security controls. This occurs for certain uri_whitespace configuration settings.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-8517
CVE-Crit: HIGH
CVE-DESC: An issue was discovered in Squid before 4.10. Due to improper input validation, the NTLM authentication credential parser in ext_lm_group_acl can write to memory outside of the credential buffer. On systems with memory access protection, this can cause an auxiliary process to terminate unexpectedly. This results in Squid process termination and denial of service for all clients using the proxy.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-8450
CVE-Crit: HIGH
CVE-DESC: An issue was discovered in Squid before 4.10. Due to improper buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a reverse proxy.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-8449
CVE-Crit: HIGH
CVE-DESC: An issue was discovered in Squid before 4.10. Due to improper input validation, it can interpret generated HTTP requests in unexpected ways to access server resources denied by earlier security filters.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2021-28116
CVE-Crit: MEDIUM
CVE-DESC: Squid prior to versions 4.14 and 5.x through 5.0.5 in some configurations allows information disclosure due to WCCP protocol data being read out of bounds. This can be used as part of a chain to remotely execute code like nobody.
CVE-STATUS: default
CVE-REV: default