Squid 2.5.STABLE10 and earlier, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart).

An updated squid package that fixes a security vulnerability as well as several issues is now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects.

A denial of service flaw was found in the way squid processes certain NTLM authentication requests. It is possible for a remote attacker to crash the Squid server by sending a specially crafted NTLM authentication request. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-2917 to this issue.

The following issues have also been fixed in this update :

* An error introduced in squid-2.5.STABLE6-3.4E.12 can crash Squid when a user visits a site that has a bit longer DNS record.

* An error introduced in the old package prevented Squid from returning correct information about large file systems. The new package is compiled with the IDENT lookup support so that users who want to use it do not have to recompile it.

* Some authentication helpers needed SETUID rights but did not have them. If administrators wanted to use cache administrator, they had to change the SETUID bit manually. The updated package sets this bit so the new package can be updated without manual intervention from administrators.

* Squid could not handle a reply from an HTTP server when the reply began with the new-line character.

* An issue was discovered when a reply from an HTTP server was not HTTP 1.0 or 1.1 compliant.

* The updated package keeps user-defined error pages when the package is updated and it adds new ones.

All users of squid should upgrade to this updated package, which resolves these issues.

Updated squid packages that fix a security vulnerability as well as several bugs are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Squid is a high-performance proxy caching server for Web clients, supporting FTP, gopher, and HTTP data objects.

A denial of service flaw was found in the way squid processes certain NTLM authentication requests. A remote attacker could send a specially crafted NTLM authentication request which would cause the Squid server to crash. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-2917 to this issue.

Several bugs have also been addressed in this update :

* An error introduced in 2.5.STABLE3-6.3E.14 where Squid can crash if a user visits a site which has a long DNS record.

* Some authentication helpers were missing needed setuid rights.

* Squid couldn't handle a reply from a HTTP server when the reply began with the new-line character or wasn't HTTP/1.0 or HTTP/1.1 compliant.

* User-defined error pages were not kept when the squid package was upgraded.

All users of squid should upgrade to these updated packages, which contain backported patches to resolve these issues.

The squid patches page notes :

Squid may crash with the above error [FATAL: Incorrect scheme in auth header] when given certain request sentences.

Workaround: disable NTLM authentication.

The remote Redhat Enterprise Linux 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2006:0052 advisory.

    Squid is a high-performance proxy caching server for Web clients,     supporting FTP, gopher, and HTTP data objects.

    A denial of service flaw was found in the way squid processes certain NTLM     authentication requests. It is possible for a remote attacker to crash the     Squid server by sending a specially crafted NTLM authentication request.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned     the name CVE-2005-2917 to this issue.

    The following issues have also been fixed in this update:

    * An error introduced in squid-2.5.STABLE6-3.4E.12 can crash Squid when a       user visits a site that has a bit longer DNS record.

    * An error introduced in the old package prevented Squid from returning       correct information about large file systems. The new package is compiled       with the IDENT lookup support so that users who want to use it do not       have to recompile it.

    * Some authentication helpers needed SETUID rights but did not have them.
      If administrators wanted to use cache administrator, they had to change       the SETUID bit manually. The updated package sets this bit so the new       package can be updated without manual intervention from administrators.

    * Squid could not handle a reply from an HTTP server when the reply began       with the new-line character.

    * An issue was discovered when a reply from an HTTP server was not       HTTP 1.0 or 1.1 compliant.

    * The updated package keeps user-defined error pages when the package       is updated and it adds new ones.

    All users of squid should upgrade to this updated package, which resolves     these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Mike Diggins discovered a remote Denial of Service vulnerability in Squid. Sending specially crafted NTML authentication requests to Squid caused the server to crash.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Squid 2.5.9, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart).

The updated packages have been patched to address these issues.

The version of Squid, an open source web proxy cache, installed on the remote host will abort if it receives a specially crafted NTLM challenge packet.  A remote attacker can exploit this issue to stop the affected application, thereby denying access to legitimate users.

Upstream developers of squid, the popular WWW proxy cache, have discovered that changes in the authentication scheme are not handled properly when given certain request sequences while NTLM authentication is in place, which may cause the daemon to restart.

The remote squid caching proxy, according to its version number, is vulnerable to an attack where an attacker can disable the Squid proxy by sending a malformed NTLM request.  Successful exploitation leads to a loss of availability.

ID	Name	Product	Family	Severity
21976	CentOS 4 : squid (CESA-2006:0052)	Nessus	CentOS Local Security Checks	medium
21879	CentOS 3 : squid (CESA-2006:0045)	Nessus	CentOS Local Security Checks	medium
21422	FreeBSD : squid -- possible denial of service condition regarding NTLM authentication (44e7764c-2614-11da-9e1e-c296ac722cb3)	Nessus	FreeBSD Local Security Checks	medium
21087	RHEL 3 : squid (RHSA-2006:0045)	Nessus	Red Hat Local Security Checks	medium
21031	RHEL 4 : squid (RHSA-2006:0052)	Nessus	Red Hat Local Security Checks	high
20606	Ubuntu 4.10 / 5.04 : squid vulnerability (USN-192-1)	Nessus	Ubuntu Local Security Checks	medium
20041	Mandrake Linux Security Advisory : squid (MDKSA-2005:181)	Nessus	Mandriva Local Security Checks	medium
20010	Squid Crafted NTLM Authentication Header DoS	Nessus	Firewalls	medium
19797	Debian DSA-828-1 : squid - authentication handling	Nessus	Debian Local Security Checks	medium
3247	Squid < 2.5.STABLE11 NTLM Authentication Header DoS	Nessus Network Monitor	Web Servers	medium

Detections

Analytics

CVE-2005-2917

high

Tenable Plugins

medium

medium

medium

medium

high

medium

medium

medium

medium

medium