Skip to content

OSG-SEC-2019-11-11 Vulnerability in Squid UPDATE

Dear OSG Security Contacts,

UPDATE:

There was an issue with smart quotes in the original announcement. The correct lines to add to /etc/squid/customize.sh should look like this:

insertline("# INSERT YOUR OWN RULE", "acl URN proto URN")
insertline("# INSERT YOUR OWN RULE", "http_access deny URN")

Original Announcement:

Multiple vulnerabilities have been publicly announced affecting all current versions of frontier-squid-3. and frontier-squid-4., including one that potentially permits remote code execution and another that permits bypassing access controls. An upgraded package is being prepared, but meanwhile a workaround is available to block the remote code execution vulnerability. All sites are encouraged to apply the workaround, especially those that are not blocked from the internet by a firewall, and to watch for a further announcement on the availability of a new frontier-squid version.

IMPACTED VERSIONS:

All frontier-squid-3. and frontier-squid-4. versions through frontier-squid-4.8-2.1. frontier-squid-2.* versions don’t have these vulnerabilities but they are deprecated.

WHAT ARE THE VULNERABILITIES:

Vulnerability SQUID-2019:7 [1] describes a potential heap overflow in the URN (Universal Resource Name) handling code that can potentially lead to remote code execution or crash. This feature is not used by OSG clients but is enabled by default. A workaround to disable it is below.

Vulnerability SQUID-2019:8 [2] describes several issues with URI (Universal Resource Identifier) processing that permit remote clients to bypass access controls or deny service to other clients. It discusses a workaround for a third issue enabling access to manager services, but that workaround is already in place by default.

Three other vulnerabilities were announced at the same time but they are not applicable to the OSG.

WHAT YOU SHOULD DO:

Add these lines to /etc/squid/customize.sh and restart the frontier-squid service, especially if your squid is accessible to the internet:

insertline("# INSERT YOUR OWN RULE", "acl URN proto URN")
insertline("# INSERT YOUR OWN RULE", "http_access deny URN")

Watch for a followup announcement of the availability of frontier-squid-4.9.

REFERENCES

[1] http://www.squid-cache.org/Advisories/SQUID-2019_7.txt

[2] http://www.squid-cache.org/Advisories/SQUID-2019_8.txt

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team