Vulnerabilities > CVE-2018-1172 - NULL Pointer Dereference vulnerability in Squid-Cache Squid 3.5.27
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
This vulnerability allows remote attackers to deny service on vulnerable installations of The Squid Software Foundation Squid 3.5.27-20180318. Authentication is not required to exploit this vulnerability. The specific flaw exists within ClientRequestContext::sslBumpAccessCheck(). A crafted request can trigger the dereference of a null pointer. An attacker can leverage this vulnerability to create a denial-of-service condition to users of the system. Was ZDI-CAN-6088.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Firewalls NASL id SQUID_2018_3.NASL description According to its banner, the version of Squid running on the remote host is 3.1.x after or equal to 3.1.12.2 and prior or equal to 3.1.23, 3.2.x after or equal to 3.2.0.8 and prior or equal to 3.2.0.8, 3.3.x, 3.4.x, 3.5.x prior or equal to 3.5.27, or 4.x prior to 4.0.13. It is, therefore, affected by a denial of service (DoS) vulnerability in the ESI response processing component due to incorrect pointer handling. A remote attacker controlled server can exploit this issue, via a crafted ESI response, to cause a denial of service for all clients accessing the Squid service. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 119725 published 2018-12-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119725 title Squid 3.1.12.2 <= 3.1.x <= 3.1.23 / 3.2.0.8 <= 3.2.x <= 3.2.14 / 3.3.x / 3.4.x / 3.5.x <= 3.5.27 / 4.x < 4.0.13 Denial of Service Vulnerability (SQUID-2018:3) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(119725); script_version("1.2"); script_cvs_date("Date: 2019/10/31 15:18:51"); script_cve_id("CVE-2018-1172"); script_name(english:"Squid 3.1.12.2 <= 3.1.x <= 3.1.23 / 3.2.0.8 <= 3.2.x <= 3.2.14 / 3.3.x / 3.4.x / 3.5.x <= 3.5.27 / 4.x < 4.0.13 Denial of Service Vulnerability (SQUID-2018:3)"); script_summary(english:"Checks the version of Squid."); script_set_attribute(attribute:"synopsis", value: "The remote proxy server is affected by a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the version of Squid running on the remote host is 3.1.x after or equal to 3.1.12.2 and prior or equal to 3.1.23, 3.2.x after or equal to 3.2.0.8 and prior or equal to 3.2.0.8, 3.3.x, 3.4.x, 3.5.x prior or equal to 3.5.27, or 4.x prior to 4.0.13. It is, therefore, affected by a denial of service (DoS) vulnerability in the ESI response processing component due to incorrect pointer handling. A remote attacker controlled server can exploit this issue, via a crafted ESI response, to cause a denial of service for all clients accessing the Squid service. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://www.squid-cache.org/Advisories/SQUID-2018_3.txt"); script_set_attribute(attribute:"solution", value: "Upgrade to Squid version 4.0.13 or later. Alternatively, apply the vendor-supplied patch."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1172"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/18"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/17"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:squid-cache:squid"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("squid_version.nasl"); script_require_keys("installed_sw/Squid", "Settings/ParanoidReport"); script_require_ports("Services/http_proxy", 3128, 8080); exit(0); } include("vcf.inc"); include("http.inc"); app = "Squid"; get_install_count(app_name:app, exit_if_zero:TRUE); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:3128); app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE); # Affected versions: Squid 3.1.12.2 -> 3.1.23 # Squid 3.2.0.8 -> 3.2.14 # Squid 3.3 -> 3.5.27 # Squid 4.x -> 4.0.12 # Fixed in version: Squid 4.0.13 constraints = [ {"min_version":"3.1.12.2", "max_version":"3.1.23", "fixed_version":"4.0.13"}, {"min_version":"3.2.0.8", "max_version":"3.2.14", "fixed_version":"4.0.13"}, {"min_version":"3.3", "max_version":"3.5.27", "fixed_version":"4.0.13"}, {"min_version":"4.0", "fixed_version":"4.0.13"} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1122-1.NASL description This update fixes the following issues : - CVE-2018-1172: Squid Proxy Cache Denial of Service vulnerability (bsc#1090089). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 109547 published 2018-05-03 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109547 title SUSE SLES12 Security Update : squid (SUSE-SU-2018:1122-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:1122-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(109547); script_version("1.5"); script_cvs_date("Date: 2019/09/10 13:51:47"); script_cve_id("CVE-2018-1172"); script_name(english:"SUSE SLES12 Security Update : squid (SUSE-SU-2018:1122-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update fixes the following issues : - CVE-2018-1172: Squid Proxy Cache Denial of Service vulnerability (bsc#1090089). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1090089" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1172/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20181122-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?635f6cf8" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 12-SP3:zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-772=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:squid"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:squid-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:squid-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/16"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP3", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"3", reference:"squid-3.5.21-26.9.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"squid-debuginfo-3.5.21-26.9.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"squid-debugsource-3.5.21-26.9.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "squid"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-412.NASL description This update fixes the following issues : - CVE-2018-1172: Squid Proxy Cache Denial of Service vulnerability (bsc#1090089). This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2018-05-03 plugin id 109537 published 2018-05-03 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109537 title openSUSE Security Update : squid (openSUSE-2018-412) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1365-1.NASL description This update for squid3 fixes the following issues : - CVE-2018-1172: Fixed a DoS caused by incorrect handling of ESI responses. (bsc#1090089, SQUID-2018:3) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 110032 published 2018-05-23 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110032 title SUSE SLES11 Security Update : squid3 (SUSE-SU-2018:1365-1)