FreeBSD : squid -- TLS/SSL parser denial of service vulnerability (d3a98c2d-5da1-11e5-9909-002590263bf5)
High Nessus Plugin ID 85996
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionAmos Jeffries, release manager of the Squid-3 series, reports :
Vulnerable versions are 188.8.131.52 to 3.5.8 (inclusive), which are built with OpenSSL and configured for 'SSL-Bump' decryption.
Integer overflows can lead to invalid pointer math reading from random memory on some CPU architectures. In the best case this leads to wrong TLS extensions being used for the client, worst-case a crash of the proxy terminating all active transactions.
Incorrect message size checks and assumptions about the existence of TLS extensions in the SSL/TLS handshake message can lead to very high CPU consumption (up to and including 'infinite loop' behaviour).
The above can be triggered remotely. Though there is one layer of authorization applied before this processing to check that the client is allowed to use the proxy, that check is generally weak. MS Skype on Windows XP is known to trigger some of these.
The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration.
SolutionUpdate the affected package.