Vulnerabilities > CVE-2018-1172 - NULL Pointer Dereference vulnerability in Squid-Cache Squid 3.5.27

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
squid-cache
CWE-476
nessus

Summary

This vulnerability allows remote attackers to deny service on vulnerable installations of The Squid Software Foundation Squid 3.5.27-20180318. Authentication is not required to exploit this vulnerability. The specific flaw exists within ClientRequestContext::sslBumpAccessCheck(). A crafted request can trigger the dereference of a null pointer. An attacker can leverage this vulnerability to create a denial-of-service condition to users of the system. Was ZDI-CAN-6088.

Vulnerable Configurations

Part Description Count
Application
Squid-Cache
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFirewalls
    NASL idSQUID_2018_3.NASL
    descriptionAccording to its banner, the version of Squid running on the remote host is 3.1.x after or equal to 3.1.12.2 and prior or equal to 3.1.23, 3.2.x after or equal to 3.2.0.8 and prior or equal to 3.2.0.8, 3.3.x, 3.4.x, 3.5.x prior or equal to 3.5.27, or 4.x prior to 4.0.13. It is, therefore, affected by a denial of service (DoS) vulnerability in the ESI response processing component due to incorrect pointer handling. A remote attacker controlled server can exploit this issue, via a crafted ESI response, to cause a denial of service for all clients accessing the Squid service. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id119725
    published2018-12-17
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119725
    titleSquid 3.1.12.2 <= 3.1.x <= 3.1.23 / 3.2.0.8 <= 3.2.x <= 3.2.14 / 3.3.x / 3.4.x / 3.5.x <= 3.5.27 / 4.x < 4.0.13 Denial of Service Vulnerability (SQUID-2018:3)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119725);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/31 15:18:51");
    
      script_cve_id("CVE-2018-1172");
    
      script_name(english:"Squid 3.1.12.2 <= 3.1.x <= 3.1.23 / 3.2.0.8 <= 3.2.x <= 3.2.14 / 3.3.x / 3.4.x / 3.5.x <= 3.5.27 / 4.x < 4.0.13 Denial of Service Vulnerability (SQUID-2018:3)");
      script_summary(english:"Checks the version of Squid.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote proxy server is affected by a denial of service
    vulnerability.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of Squid running on the remote
    host is 3.1.x after or equal to 3.1.12.2 and prior or equal to
    3.1.23, 3.2.x after or equal to 3.2.0.8 and prior or equal to
    3.2.0.8, 3.3.x, 3.4.x, 3.5.x prior or equal to 3.5.27, or 4.x prior
    to 4.0.13. It is, therefore, affected by a denial of service (DoS)
    vulnerability in the ESI response processing component due to
    incorrect pointer handling. A remote attacker controlled server can
    exploit this issue, via a crafted ESI response, to cause a denial of
    service for all clients accessing the Squid service.
    
    Note that Nessus has not tested for this issue but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://www.squid-cache.org/Advisories/SQUID-2018_3.txt");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Squid version 4.0.13 or later. Alternatively, apply the
    vendor-supplied patch.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1172");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/17");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:squid-cache:squid");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Firewalls");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("squid_version.nasl");
      script_require_keys("installed_sw/Squid", "Settings/ParanoidReport");
      script_require_ports("Services/http_proxy", 3128, 8080);
    
      exit(0);
    }
    
    include("vcf.inc");
    include("http.inc");
    
    app = "Squid";
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_http_port(default:3128);
    
    app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);
    
    # Affected versions:  Squid 3.1.12.2 -> 3.1.23
    #                     Squid 3.2.0.8 -> 3.2.14
    #                     Squid 3.3 -> 3.5.27
    #                     Squid 4.x -> 4.0.12
    # Fixed in version:   Squid 4.0.13
    constraints = [
      {"min_version":"3.1.12.2", "max_version":"3.1.23", "fixed_version":"4.0.13"},
      {"min_version":"3.2.0.8", "max_version":"3.2.14", "fixed_version":"4.0.13"},
      {"min_version":"3.3", "max_version":"3.5.27", "fixed_version":"4.0.13"},
      {"min_version":"4.0", "fixed_version":"4.0.13"}
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1122-1.NASL
    descriptionThis update fixes the following issues : - CVE-2018-1172: Squid Proxy Cache Denial of Service vulnerability (bsc#1090089). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109547
    published2018-05-03
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109547
    titleSUSE SLES12 Security Update : squid (SUSE-SU-2018:1122-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:1122-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109547);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/10 13:51:47");
    
      script_cve_id("CVE-2018-1172");
    
      script_name(english:"SUSE SLES12 Security Update : squid (SUSE-SU-2018:1122-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes the following issues :
    
      - CVE-2018-1172: Squid Proxy Cache Denial of Service
        vulnerability (bsc#1090089).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1090089"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1172/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20181122-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?635f6cf8"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2018-772=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:squid");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:squid-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:squid-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"3", reference:"squid-3.5.21-26.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"squid-debuginfo-3.5.21-26.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"squid-debugsource-3.5.21-26.9.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "squid");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-412.NASL
    descriptionThis update fixes the following issues : - CVE-2018-1172: Squid Proxy Cache Denial of Service vulnerability (bsc#1090089). This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2018-05-03
    plugin id109537
    published2018-05-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109537
    titleopenSUSE Security Update : squid (openSUSE-2018-412)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1365-1.NASL
    descriptionThis update for squid3 fixes the following issues : - CVE-2018-1172: Fixed a DoS caused by incorrect handling of ESI responses. (bsc#1090089, SQUID-2018:3) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110032
    published2018-05-23
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110032
    titleSUSE SLES11 Security Update : squid3 (SUSE-SU-2018:1365-1)