When validating an origin server or peer certificate, Squid may
incorrectly classify certain certificates as trusted.
Severity:
This problem allows a remote server to obtain security trust
when the trust is not valid. This indication of trust may be
passed along to clients allowing access to unsafe or hijacked
services.
This problem is guaranteed to occur when multiple CA have
signed the TLS server certificate. It may also occur in cases
of broken server certificate chains.
CVSS Score of 8.4
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:H/MI:H/MA:X&version=3.1
Updated Packages:
This bug is fixed by Squid version 5.2.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2021_6.patch
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
Determining if your version is vulnerable:
All Squid-4 and older are not vulnerable.
All Squid-5.0.1 up to and including 5.0.5 are not vulnerable.
All Squid-5.0.6 up to and including 5.1 are vulnerable.
Workaround:
The only workaround is complete denial to TLS and HTTPS servers
publishing affected certificate chains. The set of affected
servers varies over time and is left out of this document.
acl vulnerableDomains dstdomain .example.net
http_access deny vulnerableDomains
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is
your primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
https://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Jean-Paul Larocque of
RodeoTV, LLC.
Fixed by The Measurement Factory.
Revision history:
2021-09-07 02:54:48 UTC Initial Report
2021-09-24 20:10:37 UTC Patches Released
2021-10-03 00:00:00 UTC Packages Released
END
When validating an origin server or peer certificate, Squid may
incorrectly classify certain certificates as trusted.
Severity:
This problem allows a remote server to obtain security trust
when the trust is not valid. This indication of trust may be
passed along to clients allowing access to unsafe or hijacked
services.
This problem is guaranteed to occur when multiple CA have
signed the TLS server certificate. It may also occur in cases
of broken server certificate chains.
CVSS Score of 8.4
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:H/MI:H/MA:X&version=3.1
Updated Packages:
This bug is fixed by Squid version 5.2.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2021_6.patch
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
Determining if your version is vulnerable:
All Squid-4 and older are not vulnerable.
All Squid-5.0.1 up to and including 5.0.5 are not vulnerable.
All Squid-5.0.6 up to and including 5.1 are vulnerable.
Workaround:
The only workaround is complete denial to TLS and HTTPS servers
publishing affected certificate chains. The set of affected
servers varies over time and is left out of this document.
acl vulnerableDomains dstdomain .example.net
http_access deny vulnerableDomains
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is
your primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
https://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Jean-Paul Larocque of
RodeoTV, LLC.
Fixed by The Measurement Factory.
Revision history:
2021-09-07 02:54:48 UTC Initial Report
2021-09-24 20:10:37 UTC Patches Released
2021-10-03 00:00:00 UTC Packages Released
END