Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Squid 3.x < 3.4.8 Multiple Vulnerabilities

Medium

Synopsis

The remote proxy server is affected by multiple vulnerabilities.

Description

Versions of Squid 3.4.x prior to 3.4.8 are potentially affected by by the following vulnerabilities :

- An off-by-one overflow flaw exists within the SNMP processing component. By using a specially crafted UDP SNMP request, a remote attacker could exploit this to cause a denial of service or possibly execute arbitrary code. (CVE-2014-6270)

- There exists an array indexing flaw in the node pinger that is triggered when parsing ICMP and ICMPv6 replies, which may allow a remote attacker to crash the pinger or obtain sensitive information. (CVE-2014-7141)

- The node pinger has a flaw in function 'Icmp4::Recv' in file 'icmp/Icmp4.cc' that is triggered when parsing ICMP or ICMPv6 responses. A remote attacker could exploit this to crash the pinger or obtain sensitive information. (CVE-2014-7142)

Solution

Either upgrade to Squid version 3.4.8 or later, or apply the vendor-supplied patch.