Squid Proxy TRACE Request Remote Denial of Service Vulnerability

Bugtraq ID:	23085
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2007-1560
Remote:	Yes
Local:	No
Published:	Mar 21 2007 12:00AM
Updated:	Apr 18 2007 08:11PM
Credit:	This issue was reported by the vendor.
Vulnerable:	Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 10.0.0 x64 Turbolinux Appliance Server Workgroup Edition 1.0 Turbolinux Appliance Server Hosting Edition 1.0 Turbolinux Appliance Server 1.0 Workgroup Edition Turbolinux Appliance Server 1.0 Hosting Edition Turbolinux Appliance Server 2.0 TransSoft Broker FTP Server 8.0 Squid Web Proxy Cache 2.6 S.u.S.E. openSUSE 10.2 Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux 5 Server Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Gentoo Linux
Not Vulnerable:	Squid Web Proxy Cache 2.6.STABLE12

Squid Proxy TRACE Request Remote Denial of Service Vulnerability

Squid is prone to a remote denial-of-service vulnerability because the proxy server fails to handle certain TRACE requests.

Successfully exploiting this issue allows remote attackers to crash the affected application, denying futher service to legitimate users.

This issue affects version 2.6.

Squid Proxy TRACE Request Remote Denial of Service Vulnerability

An attacker may exploit this issue by using readily available networking tools.

Squid Proxy TRACE Request Remote Denial of Service Vulnerability

Solution:
The vendor has released Squid version 2.6.STABLE12 and a patch to address this issue. Please see the references for more information.


Turbolinux Turbolinux Server 10.0.0 x64

• Turbolinux squid-2.5.STABLE10-6.x86_64.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/squid-2.5.STABLE10-6.x86_64.rpm


• Turbolinux squid-debug-2.5.STABLE10-6.x86_64.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/squid-debug-2.5.STABLE10-6.x86_64.rpm

Turbolinux Appliance Server 2.0

• Turbolinux squid-2.5.STABLE10-6.i586.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

Squid Web Proxy Cache 2.6

• Squid 11349.patch
  http://www.squid-cache.org/Versions/v2/2.6/changesets/11349.patch

Turbolinux Appliance Server 1.0 Hosting Edition

• Turbolinux squid-2.5.STABLE10-6.i586.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/

Turbolinux Appliance Server 1.0 Workgroup Edition

• Turbolinux squid-2.5.STABLE10-6.i586.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/

Turbolinux Turbolinux Server 10.0

• Turbolinux squid-2.5.STABLE10-6.i586.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/


• Turbolinux squid-debug-2.5.STABLE10-6.i586.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/

Squid Proxy TRACE Request Remote Denial of Service Vulnerability

References:

• Squid Proxy Cache Security Update Advisory SQUID-2007:1 (Squid Web Cache)
  
• Squid Web Proxy Cache Homepage (Squid)
  
• RHSA-2007:0131-2 squid security update (Red Hat)