Vulnerabilities > CVE-2005-0194 - Security Bypass vulnerability in Squid
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator ignores the parser warnings.
Vulnerable Configurations
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200501-25.NASL description The remote host is affected by the vulnerability described in GLSA-200501-25 (Squid: Multiple vulnerabilities) Squid contains a vulnerability in the gopherToHTML function (CAN-2005-0094) and incorrectly checks the last seen 2020-06-01 modified 2020-06-02 plugin id 16416 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/16416 title GLSA-200501-25 : Squid: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-667.NASL description Several vulnerabilities have been discovered in Squid, the internet object cache, the popular WWW proxy cache. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CAN-2005-0173 LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting. - CAN-2005-0175 Cache pollution/poisoning via HTTP response splitting has been discovered. - CAN-2005-0194 The meaning of the access controls becomes somewhat confusing if any of the referenced ACLs (access control lists) is declared empty, without any members. - CAN-2005-0211 The length argument of the WCCP recvfrom() call is larger than it should be. An attacker may send a larger than normal WCCP packet that could overflow a buffer. last seen 2020-06-01 modified 2020-06-02 plugin id 16341 published 2005-02-10 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16341 title Debian DSA-667-1 : squid - several vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-84-1.NASL description When parsing the configuration file, squid interpreted empty Access Control Lists (ACLs) without defined authentication schemes in a non-obvious way. This could allow remote attackers to bypass intended ACLs. (CAN-2005-0194) A remote Denial of Service vulnerability was discovered in the domain name resolution code. A faulty or malicious DNS server could stop the Squid server immediately by sending a malformed IP address. (CAN-2005-0446). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20709 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20709 title Ubuntu 4.10 : squid vulnerabilities (USN-84-1) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-078.NASL description Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator ignores the parser warnings. (CVE-2005-0194) Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies. (CVE-2005-0626) Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (segmentation fault) by aborting the connection during a (1) PUT or (2) POST request, which causes Squid to access previosuly freed memory. (CVE-2005-0718) A bug in the way Squid processes errors in the access control list was also found. It is possible that an error in the access control list could give users more access than intended. (CVE-2005-1345) In addition, due to subtle bugs in the previous backported updates of squid (Bugzilla #14209), all the squid-2.5 versions have been updated to squid-2.5.STABLE9 with all the STABLE9 patches from the squid developers. The updated packages are patched to fix these problems. last seen 2020-06-01 modified 2020-06-02 plugin id 18171 published 2005-05-02 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18171 title Mandrake Linux Security Advisory : squid (MDKSA-2005:078) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A30E5E44544011D99E1EC296AC722CB3.NASL description Applying an empty ACL list results in unexpected behavior : anything will match an empty ACL list. For example, The meaning of the configuration gets very confusing when we encounter empty ACLs such as acl something src last seen 2020-06-01 modified 2020-06-02 plugin id 19054 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19054 title FreeBSD : squid -- confusing results on empty acl declarations (a30e5e44-5440-11d9-9e1e-c296ac722cb3)
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000923
- http://fedoranews.org/updates/FEDORA--.shtml
- http://marc.info/?l=bugtraq&m=110901183320453&w=2
- http://www.debian.org/security/2005/dsa-667
- http://www.kb.cert.org/vuls/id/260421
- http://www.squid-cache.org/bugs/show_bug.cgi?id=1166
- http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls
- http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch