BID:22203

Squid Proxy ACL Queue Overload Remote Denial of Service Vulnerability

Info

Squid Proxy ACL Queue Overload Remote Denial of Service Vulnerability

Bugtraq ID:	22203
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2007-0248
Remote:	Yes
Local:	No
Published:	Jan 24 2007 12:00AM
Updated:	Mar 23 2007 07:13PM
Credit:	Erick Dantas Rotole reported this issue to the vendor.
Vulnerable:	Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 10.0.0 x64 Turbolinux Appliance Server Workgroup Edition 1.0 Turbolinux Appliance Server Hosting Edition 1.0 Turbolinux Appliance Server 1.0 Workgroup Edition Turbolinux Appliance Server 1.0 Hosting Edition Turbolinux Appliance Server 2.0 TransSoft Broker FTP Server 8.0 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 10 SuSE Linux 9.3 SuSE Linux 10.1 SuSE Linux 10.0 Squid Web Proxy Cache 2.6.STABLE6 Squid Web Proxy Cache 2.6.STABLE5 Squid Web Proxy Cache 2.6.STABLE4 Squid Web Proxy Cache 2.6.STABLE3 Squid Web Proxy Cache 2.6.STABLE2 Squid Web Proxy Cache 2.6.STABLE1 Squid Web Proxy Cache 2.5.STABLE14 Squid Web Proxy Cache 2.5.STABLE13 Squid Web Proxy Cache 2.5.STABLE12 Squid Web Proxy Cache 2.5.STABLE11 Novell Open Enterprise Server (OES) 0 Novell Linux Desktop 9 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Gentoo Linux

Not Vulnerable:	Squid Web Proxy Cache 2.6.STABLE7

Discussion

Squid Proxy ACL Queue Overload Remote Denial of Service Vulnerability

Squid is prone to a remote denial-of-service vulnerability because the proxy server fails to handle excessive data.

Successfully exploiting this issue allows remote attackers to crash affected proxy applications, denying further service to legitimate users.

Exploit / POC

Squid Proxy ACL Queue Overload Remote Denial of Service Vulnerability

Attackers may exploit this issue using a browser.

Solution / Fix

Squid Proxy ACL Queue Overload Remote Denial of Service Vulnerability

Solution:
The vendor has released Squid version 2.6.STABLE7 to address this issue. Please see the references for more information.

Squid Web Proxy Cache 2.6.STABLE4

Squid squid-2.6.STABLE7.tar.bz2
http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.5.STABLE12

Squid squid-2.6.STABLE7.tar.bz2
http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.6.STABLE3

Squid squid-2.6.STABLE7.tar.bz2
http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.6.STABLE2

Squid squid-2.6.STABLE7.tar.bz2
http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.6.STABLE6

Squid squid-2.6.STABLE7.tar.bz2
http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Turbolinux squid-2.5.STABLE10-5.i586.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Turbolinux squid-debug-2.5.STABLE10-5.i586.rpm

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Squid Web Proxy Cache 2.6.STABLE5

Squid squid-2.6.STABLE7.tar.bz2
http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.5.STABLE11

Squid squid-2.6.STABLE7.tar.bz2
http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.5.STABLE13

Squid squid-2.6.STABLE7.tar.bz2
http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.6.STABLE1

Squid squid-2.6.STABLE7.tar.bz2
http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

Squid Web Proxy Cache 2.5.STABLE14

Squid squid-2.6.STABLE7.tar.bz2
http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE7.tar.bz2

References

Squid Proxy ACL Queue Overload Remote Denial of Service Vulnerability

References:

Bugzilla Bug 1848 external_acl crashes with an infinite loop under high load (Squid)
Key changes squid-2.6.STABLE6 to 2.6.STABLE7 (Squid)
Squid Web Proxy Cache Homepage (Squid)