FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

squid -- TLS/SSL parser denial of service vulnerability

Affected packages
3.5.0.1 <= squid < 3.5.9

Details

VuXML ID d3a98c2d-5da1-11e5-9909-002590263bf5
Discovery 2015-09-18
Entry 2015-09-18
Modified 2016-02-18

Amos Jeffries, release manager of the Squid-3 series, reports:

Vulnerable versions are 3.5.0.1 to 3.5.8 (inclusive), which are built with OpenSSL and configured for "SSL-Bump" decryption.

Integer overflows can lead to invalid pointer math reading from random memory on some CPU architectures. In the best case this leads to wrong TLS extensions being used for the client, worst-case a crash of the proxy terminating all active transactions.

Incorrect message size checks and assumptions about the existence of TLS extensions in the SSL/TLS handshake message can lead to very high CPU consumption (up to and including 'infinite loop' behaviour).

The above can be triggered remotely. Though there is one layer of authorization applied before this processing to check that the client is allowed to use the proxy, that check is generally weak. MS Skype on Windows XP is known to trigger some of these.

The FreeBSD port does not use SSL by default and is not vulnerable in the default configuration.

References

FreeBSD PR ports/203186
URL http://www.openwall.com/lists/oss-security/2015/09/18/1
URL http://www.squid-cache.org/Advisories/SQUID-2015_3.txt