search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Squid fails to parse empty access control lists correctly

Vulnerability Note VU#260421

Original Release Date: 2005-02-21 | Last Revised: 2005-02-22

Overview

The Squid web proxy cache may fail to handle empty Access Control Lists (ACLs) in the intended manner.

Description

Squid functions as a web proxy and cache application for a number of protocols. However, Squid Access Control List (ACL) routines may not parse an empty list as intended. An empty list may be interpreted as a nonexistent list rather than a list containing no members. This may or may not be the intended behavior.

Impact

Unintended access may be granted to all members instead of the intended result of access being denied to all members.

Solution

Apply an update

This flaw has been patched in Squid 2.5.STABLE8. More details are available in the Squid Bugzilla bug #1166.

Team Squid recommends:

Pay attention to warnings from "squid -k parse" and do not use configurations where there are warnings about access controls in production.

Vendor Information

260421
 
Expand all

Squid Affected

Notified:  December 21, 2004 Updated: February 18, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This flaw has been patched in the current release version, Squid 2.5-STABLE8. More details are available in the Squid Bugzilla bug #1166.

Team Squid has created a patch for the previous release version of Squid (2.5-STABLE7): squid-2.5.STABLE7-empty_acls.patch

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu Linux Affected

Updated:  February 21, 2005

Status

Affected

Vendor Statement

===========================================================
Ubuntu Security Notice USN-84-1  February 21, 2005
squid vulnerabilities
CAN-2005-0194, CAN-2005-0446
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

squid

The problem can be corrected by upgrading the affected package to
version 2.5.5-6ubuntu0.5.  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

When parsing the configuration file, squid interpreted empty Access
Control Lists (ACLs) without defined authentication schemes in a
non-obvious way. This could allow remote attackers to bypass intended
ACLs. (CAN-2005-0194)

A remote Denial of Service vulnerability was discovered in the domain
name resolution code. A faulty or malicious DNS server could stop the
Squid server immediately by sending a malformed IP address.
(CAN-2005-0446)

 Source archives:

   http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.5.diff.gz
     Size/MD5:   273103 b227505fff84a15f636d1a40ef894a59
   http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.5.dsc
     Size/MD5:      652 03dda2b1794bee143c7bb2c907177dec
   http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5.orig.tar.gz
     Size/MD5:  1363967 6c7f3175b5fa04ab5ee68ce752e7b500

 Architecture independent packages:

   http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid-common_2.5.5-6ubuntu0.5_all.deb
     Size/MD5:   190542 18ac376117476528d04ecf34c39605c5

 amd64 architecture (Athlon64, Opteron, EM64T Xeon)

   http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.5_amd64.deb
     Size/MD5:    89972 6c0d1ca2955e65c617a0ffb9835fb7d0
   http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.5_amd64.deb
     Size/MD5:   812832 c4ae1fa8c10241c975be5a5ae713d259
   http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.5_amd64.deb
     Size/MD5:    71320 6426cdd50abe26ff32430f10384f98b6

 i386 architecture (x86 compatible Intel/AMD)

   http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.5_i386.deb
     Size/MD5:    88484 048eee3bff6f8c1c2a27c422d8d02878
   http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.5_i386.deb
     Size/MD5:   728800 86015fa3f0e70ca114d50600779a5218
   http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.5_i386.deb
     Size/MD5:    70052 fa490312c320b567d0a2ab9aa86516a9

 powerpc architecture (Apple Macintosh G3/G4/G5)

   http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squid-cgi_2.5.5-6ubuntu0.5_powerpc.deb
     Size/MD5:    89398 69752585a510d3e5fd35f3855d316354
   http://security.ubuntu.com/ubuntu/pool/main/s/squid/squid_2.5.5-6ubuntu0.5_powerpc.deb
     Size/MD5:   796142 ce07df2197a74e4da2325e39e153b38a
   http://security.ubuntu.com/ubuntu/pool/universe/s/squid/squidclient_2.5.5-6ubuntu0.5_powerpc.deb
     Size/MD5:    70814 1074527b3d8dc744aa1b128713c902ba

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Team Squid for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

CVE IDs: CVE-2005-0194
Severity Metric: 0.27
Date Public: 2004-12-21
Date First Published: 2005-02-21
Date Last Updated: 2005-02-22 20:21 UTC
Document Revision: 8

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis