The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message.

Versions of Squid 3.5.x prior to 3.5.14 are affected by a flaw in the 'FwdState::connectedToPeer()' function in 'FwdState.cc' that is triggered as server connection errors are handled improperly. This may allow a remote attacker to cause a denial of service when connecting to TLS or SSL servers.

This update for squid3 fixes the following issues :

  - Multiple issues in pinger ICMP processing.
    (CVE-2014-7141, CVE-2014-7142)

  - CVE-2016-3947: Buffer overrun issue in pinger ICMPv6     processing. (bsc#973782)

  - CVE-2016-4554: fix header smuggling issue in HTTP     Request processing (bsc#979010)

  - Fix multiple Denial of Service issues in HTTP Response     processing. (CVE-2016-2569, CVE-2016-2570,     CVE-2016-2571, CVE-2016-2572, bsc#968392, bsc#968393,     bsc#968394, bsc#968395)

  - Regression caused by the DoS fixes above (bsc#993299)

  - CVE-2016-3948: Fix denial of service in HTTP Response     processing (bsc#973783)

  - CVE-2016-4051: fixes buffer overflow in cachemgr.cgi     (bsc#976553)

  - CVE-2016-4052, CVE-2016-4053, CVE-2016-4054 :

  - fixes multiple issues in ESI processing (bsc#976556)

  - CVE-2016-4556: fixes double free vulnerability in Esi.cc     (bsc#979008)

  - CVE-2015-5400: Improper Protection of Alternate Path     (bsc#938715)

  - CVE-2014-6270: fix off-by-one in snmp subsystem     (bsc#895773)

  - Memory leak in squid3 when using external_acl     (bsc#976708)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for squid3 fixes the following issues :

  - Multiple issues in pinger ICMP processing.
    (CVE-2014-7141, CVE-2014-7142)

  - CVE-2016-3947: Buffer overrun issue in pinger ICMPv6     processing. (bsc#973782)

  - CVE-2016-4554: fix header smuggling issue in HTTP     Request processing (bsc#979010)

  - fix multiple Denial of Service issues in HTTP Response     processing. (CVE-2016-2569, CVE-2016-2570,     CVE-2016-2571, CVE-2016-2572, bsc#968392, bsc#968393,     bsc#968394, bsc#968395)

  - CVE-2016-3948: Fix denial of service in HTTP Response     processing (bsc#973783)

  - CVE-2016-4051: fixes buffer overflow in cachemgr.cgi     (bsc#976553)

  - CVE-2016-4052, CVE-2016-4053, CVE-2016-4054 :

  - fixes multiple issues in ESI processing (bsc#976556)

  - CVE-2016-4556: fixes double free vulnerability in Esi.cc     (bsc#979008)

  - CVE-2015-5400: Improper Protection of Alternate Path     (bsc#938715)

  - CVE-2014-6270: fix off-by-one in snmp subsystem     (bsc#895773)

  - Memory leak in squid3 when using external_acl     (bsc#976708)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Squid running on the remote host is 3.5.13, 4.0.4, or 4.0.5. It is, therefore, potentially affected by a denial of service vulnerability due to improper handling of server connection errors in the FwdState::connectedToPeer() function. A remote attacker can exploit this, via a misconfigured client or server, to cause a denial of service condition when connecting to TLS or SSL servers.

Note that only servers built with the --with-openssl option are vulnerable.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. The patch released to address this issue does not update the version given in the banner. If the patch has been applied properly, and the service has been restarted, consider this to be a false positive.

Squid security advisory 2016:1 reports :

Due to incorrectly handling server errors Squid is vulnerable to a denial of service attack when connecting to TLS or SSL servers.

This problem allows any trusted client to perform a denial of service attack on the Squid service regardless of whether TLS or SSL is configured for use in the proxy.

Misconfigured client or server software may trigger this issue to perform a denial of service unintentionally.

However, the bug is exploitable only if Squid is built using the
--with-openssl option.

The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration.

ID	Name	Product	Family	Severity
9773	Squid 3.5.x < 3.5.14 DoS	Nessus Network Monitor	Web Servers	low
93294	SUSE SLES11 Security Update : squid3 (SUSE-SU-2016:2089-1)	Nessus	SuSE Local Security Checks	high
93271	SUSE SLES11 Security Update : squid3 (SUSE-SU-2016:1996-1)	Nessus	SuSE Local Security Checks	high
89052	Squid 3.5.13 / 4.0.4 / 4.0.5 Server Connection Error Handling DoS	Nessus	Firewalls	high
88818	FreeBSD : squid -- SSL/TLS processing remote DoS (56562efb-d5e4-11e5-b2bd-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2016-2390

medium

Tenable Plugins

low

high

high

high

medium