Squid security advisory 2015:1 reports :

Squid configured with client-first SSL-bump does not correctly validate X509 server certificate domain / hostname fields.

The bug is important because it allows remote servers to bypass client certificate validation. Some attackers may also be able to use valid certificates for one domain signed by a global Certificate Authority to abuse an unrelated domain.

However, the bug is exploitable only if you have configured Squid to perform SSL Bumping with the 'client-first' or 'bump' mode of operation.

Sites that do not use SSL-Bump are not vulnerable.

All Squid built without SSL support are not vulnerable to the problem.

The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration.

Squid was updated to fix a security issue.

If the Squid HTTP Proxy configured with client-first SSL bumping did not correctly validate server certificate. (CVE-2015-3455)

It was found that Squid configured with client-first SSL-bump did not correctly validate X.509 server certificate host name fields. A man-in- the-middle attacker could use this flaw to spoof a Squid server using a specially crafted X.509 certificate. (CVE-2015-3455)

This update fixes the following bugs :

  - Previously, the squid process did not handle file     descriptors correctly when receiving Simple Network     Management Protocol (SNMP) requests. As a consequence,     the process gradually accumulated open file descriptors.
    This bug has been fixed and squid now handles SNMP     requests correctly, closing file descriptors when     necessary.

  - Under high system load, the squid process sometimes     terminated unexpectedly with a segmentation fault during     reboot. This update provides better memory handling     during reboot, thus fixing this bug.

After installing this update, the squid service will be restarted automatically.

Updated squid packages fix security vulnerability :

Squid configured with client-first SSL-bump does not correctly validate X509 server certificate domain / hostname fields (CVE-2015-3455).

The Squid HTTP proxy has been updated to version 3.3.14, fixing the following security issues :

  - Fixed multiple Denial of Service issues in HTTP Response     processing. (CVE-2016-2569, CVE-2016-2570,     CVE-2016-2571, CVE-2016-2572, bsc#968392, bsc#968393,     bsc#968394, bsc#968395)

  - CVE-2016-3947: Buffer overrun issue in pinger ICMPv6     processing. (bsc#973782)

  - CVE-2015-5400: Improper protection of alternate path.
    (bsc#938715)

  - CVE-2015-3455: Squid http proxy configured with     client-first SSL bumping did not correctly validate     server certificate. (bsc#929493)

  - CVE-2016-3948: Fixed denial of service in HTTP Response     processing (bsc#973783)

  - CVE-2016-4051: fixes buffer overflow in cachemgr.cgi     (bsc#976553)

  - CVE-2016-4052, CVE-2016-4053, CVE-2016-4054: Fixed     multiple issues in ESI processing (bsc#976556)

  - CVE-2016-4553: Fixed cache poisoning issue in HTTP     Request handling (bsc#979009)

  - CVE-2016-4554: Fixed header smuggling issue in HTTP     Request processing (bsc#979010)

  - Fixed multiple Denial of Service issues in ESI Response     processing. (CVE-2016-4555, CVE-2016-4556, bsc#979011,     bsc#979008)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated squid packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.

It was found that Squid configured with client-first SSL-bump did not correctly validate X.509 server certificate host name fields. A man-in-the-middle attacker could use this flaw to spoof a Squid server using a specially crafted X.509 certificate. (CVE-2015-3455)

This update fixes the following bugs :

* Previously, the squid process did not handle file descriptors correctly when receiving Simple Network Management Protocol (SNMP) requests. As a consequence, the process gradually accumulated open file descriptors. This bug has been fixed and squid now handles SNMP requests correctly, closing file descriptors when necessary.
(BZ#1198778)

* Under high system load, the squid process sometimes terminated unexpectedly with a segmentation fault during reboot. This update provides better memory handling during reboot, thus fixing this bug.
(BZ#1225640)

Users of squid are advised to upgrade to these updated packages, which fix these bugs. After installing this update, the squid service will be restarted automatically.

The Squid HTTP proxy has been updated to version 3.3.14, fixing the following security issues :

  - Fixed multiple Denial of Service issues in HTTP Response     processing. (CVE-2016-2569, CVE-2016-2570,     CVE-2016-2571, CVE-2016-2572, bsc#968392, bsc#968393,     bsc#968394, bsc#968395)

  - CVE-2016-3947: Buffer overrun issue in pinger ICMPv6     processing. (bsc#973782)

  - CVE-2015-5400: Improper protection of alternate path.
    (bsc#938715)

  - CVE-2015-3455: Squid http proxy configured with     client-first SSL bumping did not correctly validate     server certificate. (bsc#929493)

  - CVE-2016-3948: Fixed denial of service in HTTP Response     processing (bsc#973783)

  - CVE-2016-4051: fixes buffer overflow in cachemgr.cgi     (bsc#976553)

  - CVE-2016-4052, CVE-2016-4053, CVE-2016-4054: Fixed     multiple issues in ESI processing (bsc#976556)

  - CVE-2016-4553: Fixed cache poisoning issue in HTTP     Request handling (bsc#979009)

  - CVE-2016-4554: Fixed header smuggling issue in HTTP     Request processing (bsc#979010)

  - Fixed multiple Denial of Service issues in ESI Response     processing. (CVE-2016-4555, CVE-2016-4556, bsc#979011,     bsc#979008)

Additionally, the following non-security issues have been fixed :

  - Fix header size in script unsquid.pl. (bsc#902197)

  - Add external helper ext_session_acl to package.
    (bsc#959290)

  - Update forward_max_tries to permit 25 server paths With     cloud sites becoming more popular more CDN servers are     producing long lists of IPv6 and IPv4 addresses. If     there are not enough paths selected the IPv4 ones may     never be reached.

  - squid.init: wait that squid really dies when we kill it     on upgrade instead of proclaiming its demise prematurely     (bnc#963539)

This update was imported from the SUSE:SLE-12:Update update project.

According to its banner, the version of Squid running on the remote host is 3.2 prior to 3.2.14 / 3.3.14 / 3.4.13 / 3.5.4. It is, therefore, potentially affected by a flaw related to certificate validation due to the server hostname not being verified as matching a the domain name in the certificate Subject's Common Name (CN) or the SubjectAltName fields. A man-in-the-middle attacker, using a crafted certificate, can utilize this to spoof a TLS/SSL server, thus allowing the disclosure or manipulation of intercepted data. Note that this flaw is exploitable only if Squid is configured to perform SSL Bumping with the 'client-first' or 'bump' mode of operation.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. The patch released to address the issue does not update the version in the banner. If the patch has been applied properly, and the service has been restarted, consider this to be a false positive.

From Red Hat Security Advisory 2015:2378 :

Updated squid packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.

It was found that Squid configured with client-first SSL-bump did not correctly validate X.509 server certificate host name fields. A man-in-the-middle attacker could use this flaw to spoof a Squid server using a specially crafted X.509 certificate. (CVE-2015-3455)

This update fixes the following bugs :

* Previously, the squid process did not handle file descriptors correctly when receiving Simple Network Management Protocol (SNMP) requests. As a consequence, the process gradually accumulated open file descriptors. This bug has been fixed and squid now handles SNMP requests correctly, closing file descriptors when necessary.
(BZ#1198778)

* Under high system load, the squid process sometimes terminated unexpectedly with a segmentation fault during reboot. This update provides better memory handling during reboot, thus fixing this bug.
(BZ#1225640)

Users of squid are advised to upgrade to these updated packages, which fix these bugs. After installing this update, the squid service will be restarted automatically.

Security fix for CVE-2016-2571, CVE-2016-2572 ---- squid-3.4.13-3.fc22
- Resolves: #1231992 ---- Security fix for #1240741, #1240744 Updated to version 3.4.13, which fixes CVE-2015-3455

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, does not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.

ID	Name	Product	Family	Published	Updated	Severity
84555	FreeBSD : squid -- client-first SSL-bump does not correctly validate X509 server certificate (b6da24da-23f7-11e5-a4a5-002590263bf5)	Nessus	FreeBSD Local Security Checks	7/7/2015	1/6/2021	low
85927	openSUSE Security Update : squid (openSUSE-2015-581)	Nessus	SuSE Local Security Checks	9/14/2015	1/19/2021	low
87574	Scientific Linux Security Update : squid on SL7.x x86_64 (20151119)	Nessus	Scientific Linux Local Security Checks	12/22/2015	1/14/2021	low
83276	Mandriva Linux Security Advisory : squid (MDVSA-2015:230)	Nessus	Mandriva Local Security Checks	5/7/2015	1/14/2021	low
93279	SUSE SLES12 Security Update : squid (SUSE-SU-2016:2008-1)	Nessus	SuSE Local Security Checks	9/2/2016	1/6/2021	high
87154	CentOS 7 : squid (CESA-2015:2378)	Nessus	CentOS Local Security Checks	12/2/2015	1/4/2021	low
92994	openSUSE Security Update : squid (openSUSE-2016-988)	Nessus	SuSE Local Security Checks	8/17/2016	1/19/2021	high
83529	Squid 3.2 < 3.5.4 Incorrect X509 Server Certificate Validation Vulnerability	Nessus	Firewalls	5/19/2015	11/22/2019	low
86986	RHEL 7 : squid (RHSA-2015:2378)	Nessus	Red Hat Local Security Checks	11/20/2015	10/24/2019	low
87037	Oracle Linux 7 : squid (ELSA-2015-2378)	Nessus	Oracle Linux Local Security Checks	11/24/2015	1/14/2021	low
90960	Fedora 22 : libecap-1.0.0-1.fc22 / squid-3.5.10-1.fc22 (2016-7b40eb9e29)	Nessus	Fedora Local Security Checks	5/9/2016	1/11/2021	medium
8869	Squid 3.2.x < 3.2.14 / 3.3.x < 3.3.14 / 3.4.x < 3.4.13 / 3.5.x < 3.5.4 X.509 Certificate Validation Vulnerability	Nessus Network Monitor	Web Servers	9/16/2015	3/6/2019	medium

Detections

Analytics

Plugins Search

low

low

low

low

high

low

high

low

low

low

medium

medium