FreeBSD : squid -- TLS/SSL parser denial of service vulnerability (d3a98c2d-5da1-11e5-9909-002590263bf5)

High Nessus Plugin ID 85996


The remote FreeBSD host is missing a security-related update.


Amos Jeffries, release manager of the Squid-3 series, reports :

Vulnerable versions are to 3.5.8 (inclusive), which are built with OpenSSL and configured for 'SSL-Bump' decryption.

Integer overflows can lead to invalid pointer math reading from random memory on some CPU architectures. In the best case this leads to wrong TLS extensions being used for the client, worst-case a crash of the proxy terminating all active transactions.

Incorrect message size checks and assumptions about the existence of TLS extensions in the SSL/TLS handshake message can lead to very high CPU consumption (up to and including 'infinite loop' behaviour).

The above can be triggered remotely. Though there is one layer of authorization applied before this processing to check that the client is allowed to use the proxy, that check is generally weak. MS Skype on Windows XP is known to trigger some of these.

The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration.


Update the affected package.

See Also

Plugin Details

Severity: High

ID: 85996

File Name: freebsd_pkg_d3a98c2d5da111e59909002590263bf5.nasl

Version: $Revision: 2.3 $

Type: local

Published: 2015/09/18

Modified: 2017/07/06

Dependencies: 12634

Risk Information

Risk Factor: High

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:squid, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2015/09/18

Vulnerability Publication Date: 2015/09/18