Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies.

An updated squid package that fixes several security issues is now available.

This update has been rated as having low security impact by the Red Hat Security Response Team.

Squid is a full-featured Web proxy cache.

A race condition bug was found in the way Squid handles the now obsolete Set-Cookie header. It is possible that Squid can leak Set-Cookie header information to other clients connecting to Squid.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0626 to this issue. Please note that this issue only affected Red Hat Enterprise Linux 4.

A bug was found in the way Squid handles PUT and POST requests. It is possible for an authorised remote user to cause a failed PUT or POST request which can cause Squid to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0718 to this issue.

A bug was found in the way Squid processes errors in the access control list. It is possible that an error in the access control list could give users more access than intended. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1345 to this issue.

A bug was found in the way Squid handles access to the cachemgr.cgi script. It is possible for an authorised remote user to bypass access control lists with this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-1999-0710 to this issue.

A bug was found in the way Squid handles DNS replies. If the port Squid uses for DNS requests is not protected by a firewall it is possible for a remote attacker to spoof DNS replies, possibly redirecting a user to spoofed or malicious content. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1519 to this issue.

Additionally this update fixes the following bugs: - LDAP Authentication fails with an assertion error when using Red Hat Enterprise Linux 4

Users of Squid should upgrade to this updated package, which contains backported patches to correct these issues.

A race condition was discovered in the handling of 'Set-Cookie' headers. If the obsolete Netscape recommendation was used for handling cookies in the cache, it was possible for an attacker to steal the cookies of other users.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Squid caching proxy, according to its banner, is prone to an information disclosure vulnerability. Due to a race condition, Set-Cookie headers may leak to other users if the requested server employs the deprecated Netscape Set-Cookie specifications with regards to how cacheable content is handled.

The remote Redhat Enterprise Linux 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2005:415 advisory.

    Squid is a full-featured Web proxy cache.

    A race condition bug was found in the way Squid handles the now obsolete     Set-Cookie header. It is possible that Squid can leak Set-Cookie header     information to other clients connecting to Squid. The Common     Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name     CAN-2005-0626 to this issue. Please note that this issue only affected Red     Hat Enterprise Linux 4.

    A bug was found in the way Squid handles PUT and POST requests. It is     possible for an authorised remote user to cause a failed PUT or POST     request which can cause Squid to crash. The Common Vulnerabilities and     Exposures project (cve.mitre.org) has assigned the name CAN-2005-0718 to     this issue.

    A bug was found in the way Squid processes errors in the access control     list. It is possible that an error in the access control list could give     users more access than intended. The Common Vulnerabilities and Exposures     project (cve.mitre.org) has assigned the name CAN-2005-1345 to this issue.

    A bug was found in the way Squid handles access to the cachemgr.cgi script.
    It is possible for an authorised remote user to bypass access control     lists with this flaw. The Common Vulnerabilities and Exposures project     (cve.mitre.org) has assigned the name CVE-1999-0710 to this issue.

    A bug was found in the way Squid handles DNS replies.  If the port Squid     uses for DNS requests is not protected by a firewall it is possible for a     remote attacker to spoof DNS replies, possibly redirecting a user to     spoofed or malicious content. The Common Vulnerabilities and Exposures     project (cve.mitre.org) has assigned the name CAN-2005-1519 to this issue.

    Additionally this update fixes the following bugs:
     - LDAP Authentication fails with an assertion error when using Red Hat     Enterprise Linux 4

    Users of Squid should upgrade to this updated package, which contains     backported patches to correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator ignores the parser warnings. (CVE-2005-0194)

Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies. (CVE-2005-0626)

Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (segmentation fault) by aborting the connection during a (1) PUT or (2) POST request, which causes Squid to access previosuly freed memory. (CVE-2005-0718)

A bug in the way Squid processes errors in the access control list was also found. It is possible that an error in the access control list could give users more access than intended. (CVE-2005-1345)

In addition, due to subtle bugs in the previous backported updates of squid (Bugzilla #14209), all the squid-2.5 versions have been updated to squid-2.5.STABLE9 with all the STABLE9 patches from the squid developers.

The updated packages are patched to fix these problems.

The remote Squid caching proxy, according to its version number, is vulnerable to an attack where the attacker gains access to Set-Cookie headers for another user.  Such an attack would allow the attacker to gain access to resources with the credentials of another user.  

ID	Name	Product	Family	Severity
21822	CentOS 3 / 4 : squid (CESA-2005:415)	Nessus	CentOS Local Security Checks	high
20719	Ubuntu 4.10 : squid vulnerability (USN-93-1)	Nessus	Ubuntu Local Security Checks	low
19237	Squid Set-Cookie Header Cross-session Information Disclosure	Nessus	Firewalls	medium
18500	RHEL 4 : squid (RHSA-2005:415)	Nessus	Red Hat Local Security Checks	high
18171	Mandrake Linux Security Advisory : squid (MDKSA-2005:078)	Nessus	Mandriva Local Security Checks	critical
2669	Squid < 2.5.STABLE10 Set-Cookie Authentication Information Disclosure	Nessus Network Monitor	Web Servers	medium

Detections

Analytics

CVE-2005-0626

critical

Tenable Plugins

high

low

medium

high

critical

medium