Squid Web Proxy Cache versions 2.5.STABLE6 and prior and versions 3.0.STABLE6 and prior contain a vulnerability that can allow an unauthenticated, remote attacker to create a denial of service (DoS) condition. The vulnerability can only be exploited when Squid is compiled with SNMP support.
The vulnerability exists in the SNMP module of web proxy cache when processing ASN.1 requests. The ASN.1 parser fails to properly filter negative values in the request header. An attacker can send a crafted SNMP packet to restart the squid service. The request closes all connections; however, the server restarts within several seconds and restores normal functionality.
Squid has confirmed this vulnerability and released updated software.
Indicators of Compromise
Squid versions 2.5.STABLE6 or prior and versions 3.0.STABLE6 and prior are vulnerable.
The vulnerability can be exploited via a crafted SNMP packet with a negative header length. The asn_parse_header() routine in snmplib/asn1.c fails to properly filter negative values. The xmalloc() fails, causing the server to process an exception and restarts.
The vulnerability is only exploitable when SNMP support is enabled. A successful can restart Squid; however, after several seconds Squid returns to normal functionality. Since only one UDP packet is necessary to cause the restart, it would be fairly easy to maintain the DoS by sending the packet repeatedly. It is also possible for this packet to be sent with a spoofed source IP address.
Administrators are advised to apply the appropriate update.
Administrators are advised to disable SNMP support on the Squid binary by setting entry snmp_port to 0 in squid.conf. This change will not go into effect until Squid is restarted.
Administrators could also mitigate this problem by restricting access to the port processing SNMP data, which is port 3401 by default.
Administrators are advised to restrict access to the Squid proxy server to trusted users.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
FIXED SOFTWARE INFORMATION AND LINKS PROVIDED BY SUPPLIERS AND VENDORS ARE FOR REFERENCE ONLY. USERS SHOULD CONTACT THEIR SUPPLIER OR VENDOR FOR UPDATED SOFTWARE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.