CVE-2004-0918
CVSS5.0
发布时间 :2005-01-27 00:00:00
修订时间 :2016-10-17 22:49:56
NMOPS    

[原文]The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a denial of service (server restart) via certain SNMP packets with negative length fields that trigger a memory allocation error.


[CNNVD]CNNVD数据暂缺。


[机译]前2.4.STABLE7的asn_parse_header的功能(asn1.c)的SNMP模块对Squid Web代理缓存允许远程攻击者通过一定的负的长度字段,触发内存分配错误的SNMP数据包导致拒绝服务(服务器重新启动)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-399 [资源管理错误]

- CPE (受影响的平台与产品)

cpe:/o:trustix:secure_linux:1.5Trustix Secure Linux 1.5
cpe:/a:squid:squid:2.5_.stable5
cpe:/a:squid:squid:2.5_.stable6
cpe:/a:squid:squid:2.5_.stable3
cpe:/a:squid:squid:2.5_.stable4
cpe:/o:redhat:fedora_core:core_2.0
cpe:/a:openpkg:openpkg:current
cpe:/o:trustix:secure_linux:2.1Trustix Secure Linux 2.1
cpe:/o:trustix:secure_linux:2.0Trustix Secure Linux 2.0
cpe:/a:squid:squid:2.4
cpe:/o:ubuntu:ubuntu_linux:4.1::ia64
cpe:/a:squid:squid:2.5_.stable1
cpe:/a:squid:squid:3.0_pre2
cpe:/a:squid:squid:3.0_pre1
cpe:/o:gentoo:linuxGentoo Linux
cpe:/a:squid:squid:2.4_.stable7
cpe:/a:squid:squid:2.4_.stable6
cpe:/a:squid:squid:3.0_pre3
cpe:/a:openpkg:openpkg:2.2OpenPKG 2.2
cpe:/a:openpkg:openpkg:2.1OpenPKG 2.1
cpe:/o:ubuntu:ubuntu_linux:4.1::ppc
cpe:/a:squid:squid:2.0_patch2
cpe:/a:squid:squid:2.1_patch2
cpe:/a:squid:squid:2.4_.stable2
cpe:/a:squid:squid:2.3_.stable4
cpe:/a:squid:squid:2.3_.stable5

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10931The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a de...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0918
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0918
(官方数据源) NVD

- 其它链接及资源

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.16/SCOSA-2005.16.txt
(UNKNOWN)  SCO  SCOSA-2005.16
http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html
(UNKNOWN)  SUSE  SUSE-SR:2008:014
http://marc.info/?l=bugtraq&m=109913064629327&w=2
(UNKNOWN)  OPENPKG  OpenPKG-SA-2004.048
http://www.gentoo.org/security/en/glsa/glsa-200410-15.xml
(UNKNOWN)  GENTOO  GLSA-200410-15
http://www.idefense.com/application/poi/display?id=152&type=vulnerabilities&flashstatus=false
(UNKNOWN)  IDEFENSE  20041011 Squid Web Proxy Cache Remote Denial of Service Vulnerability
http://www.redhat.com/support/errata/RHSA-2004-591.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:591
http://www.securityfocus.com/bid/11385
(VENDOR_ADVISORY)  BID  11385
http://www.squid-cache.org/Advisories/SQUID-2004_3.txt
(UNKNOWN)  CONFIRM  http://www.squid-cache.org/Advisories/SQUID-2004_3.txt
http://www.squid-cache.org/Advisories/SQUID-2008_1.txt
(UNKNOWN)  CONFIRM  http://www.squid-cache.org/Advisories/SQUID-2008_1.txt
http://www.vupen.com/english/advisories/2008/1969/references
(VENDOR_ADVISORY)  VUPEN  ADV-2008-1969
http://xforce.iss.net/xforce/xfdb/17688
(VENDOR_ADVISORY)  XF  squid-snmp-asnparseheader-dos(17688)
https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00122.html
(UNKNOWN)  FEDORA  FEDORA-2008-6045

- 漏洞信息 (F34637)

iDEFENSE Security Advisory 2004-10-11.t (PacketStormID:F34637)
2004-10-13 00:00:00
iDefense Labs  idefense.com
advisory,remote,web,denial of service
CVE-2004-0918
[点击下载]

iDEFENSE Security Advisory 10.11.04 - Remote exploitation of a design error in the SNMP module of Squid Web Proxy Cache may lead to a denial of service. The problem specifically exists due to an ASN1 parsing error where certain header length combinations can slip through the validations performed by the ASN1 parser, eventually causing the server to restart and close all current connections. The server takes several seconds to restart.

Squid Web Proxy Cache Remote Denial of Service Vulnerability

iDEFENSE Security Advisory 10.11.04:
www.idefense.com/application/poi/display?id=152&type=vulnerabilities
October 11, 2004

I. BACKGROUND

Squid Web Proxy Cache is a full-featured web proxy cache designed to run
on Unix systems. It supports proxying HTTP, FTP, SSL, DNS, and has
support for SNMP.

II. DESCRIPTION

Remote exploitation of a design error in the SNMP module of Squid Web
Proxy Cache may lead to a denial of service.

The problem specifically exists due to an ASN1 parsing error where
certain header length combinations can slip through the validations
performed by the ASN1 parser, eventually causing the server to restart
and close all current connections. The server takes several seconds to
restart.

The offending code is in the asn_parse_header() routine of
snmplib/asn1.c, which under some cases will allow negative length fields
to pass validation. This leads to a failed xmalloc(), and the server
then assumes there is heap corruption or some other exceptional
condition, and restarts.

III. ANALYSIS

An attacker can exploit the above-described vulnerability to crash a
Squid server. If the attack is repeated, it can render the server
useless. Only a single UDP packet is required to trigger this
vulnerability, so the source address can be spoofed.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Squid Web
Proxy Cache version 2.5-STABLE5 compiled with SNMP support as well as
Squid Web Proxy Cache version 3.0-PRE3-20040702 compiled with SNMP
support. It is suspected that earlier versions are vulnerable as well.

To find if a Squid binary is compiled with SNMP support one can run:

    grep snmp_port /usr/local/squid/sbin/squid

If this command returns silently, that binary was not built with SNMP
support and it is not vulnerable to this issue.

V. WORKAROUND

Disable SNMP support or filter the port that has SNMP processing
activated (3401 by default) to allow only SNMP data from trusted hosts.

To disable SNMP support on a squid binary that has SNMP support compiled
in, use the entry snmp_port 0 in the squid.conf configuration file.

To allow only the local interface to process SNMP, use the entry
"snmp_incoming_address 127.0.0.1" in the squid.conf configuration file.

Squid must be restarted to activate changes in the configuration file.

VI. VENDOR RESPONSE

Patch relative to Squid-2.5.STABLE6:

 
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE6-SNMP_c
ore_dump.patch

Squid-2.5.STABLE7 release:

   ftp://ftp.squid-cache.org/pub/squid-2/STABLE/squid-2.5.STABLE7.tar.gz
 
ftp://ftp.squid-cache.org/pub/squid-2/STABLE/squid-2.5.STABLE7.tar.bz2
   http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE7.tar.gz
   http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE7.tar.bz2

or any of the mirrors

   http://www.squid-cache.org/Mirrors/ftp-mirrors.html
   http://www.squid-cache.org/Mirrors/http-mirrors.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0918 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/15/2004  Initial vendor notification
09/15/2004  iDEFENSE clients notified
09/15/2004  Initial vendor response
10/05/2004  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
    

- 漏洞信息

10675
Squid Web Proxy Cache SNMP Module asn_parse_header() Function Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Unknown Vendor Verified

- 漏洞描述

Squid Web Proxy Cache contains a flaw that may allow a remote denial of service. The issue is triggered due to an ASN1 parsing error where certain header length combinations can bypass the validations performed by the ASN1 parser, eventually resulting in loss of availability for the service.

- 时间线

2004-10-05 2004-09-15
Unknow 2005-02-11

- 解决方案

Upgrade to version Squid-2.5.STABLE7, 3.0.STABLE7 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: disable SNMP support or filter the port that has SNMP processing activated (3401 by default) to allow only SNMP data from trusted hosts.

- 相关参考

- 漏洞作者

- 漏洞信息

Squid Proxy SNMP ASN.1 Parser Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 11385
Yes No
2004-10-12 12:00:00 2008-07-07 04:30:00
iDEFENSE disclosed this vulnerability, but the original discoverer wishes to remain anonymous.

- 受影响的程序版本

Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Trustix Secure Linux 2.1
Trustix Secure Linux 2.0
Trustix Secure Linux 1.5
Trustix Secure Enterprise Linux 2.0
Squid Web Proxy Cache 3.0 PRE3
Squid Web Proxy Cache 3.0 PRE2
Squid Web Proxy Cache 3.0 PRE1
Squid Web Proxy Cache 3.0
Squid Web Proxy Cache 2.5 .STABLE6
+ Mandriva Linux Mandrake 10.1 x86_64
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ Turbolinux Appliance Server 1.0 Workgroup Edition
+ Turbolinux Appliance Server 1.0 Hosting Edition
+ Turbolinux Appliance Server Hosting Edition 1.0
+ Turbolinux Appliance Server Workgroup Edition 1.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
Squid Web Proxy Cache 2.5 .STABLE5
+ Conectiva Linux 10.0
+ Conectiva Linux 9.0
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Squid Web Proxy Cache 2.5 .STABLE4
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ OpenPKG OpenPKG 2.0
+ OpenPKG OpenPKG Current
Squid Web Proxy Cache 2.5 .STABLE3
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ OpenPKG OpenPKG 1.3
+ Red Hat Enterprise Linux AS 3
+ Red Hat Fedora Core1
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
Squid Web Proxy Cache 2.5 .STABLE1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ S.u.S.E. Linux Personal 8.2
Squid Web Proxy Cache 2.4 .STABLE7
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux Advanced Work Station 2.1
Squid Web Proxy Cache 2.4 .STABLE6
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Squid Web Proxy Cache 2.4 .STABLE2
Squid Web Proxy Cache 2.4
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Squid Web Proxy Cache 2.3 .STABLE5
Squid Web Proxy Cache 2.3 .STABLE4
Squid Web Proxy Cache 2.1 PATCH2
Squid Web Proxy Cache 2.0 PATCH2
Squid Web Proxy Cache 3.0.STABLE6
Squid Web Proxy Cache 3.0.STABLE5
Squid Web Proxy Cache 3.0.STABLE4
Squid Web Proxy Cache 3.0.STABLE3
Squid Web Proxy Cache 3.0.STABLE2
Squid Web Proxy Cache 3.0.STABLE1
SCO Unixware 7.1.4
S.u.S.E. openSUSE 11.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Fedora 9
OpenPKG OpenPKG 2.2
OpenPKG OpenPKG 2.1
OpenPKG OpenPKG Current
Gentoo Linux
Conectiva Linux 10.0
Conectiva Linux 9.0
Squid Web Proxy Cache 2.5 .STABLE7
+ Conectiva Linux 10.0
+ Conectiva Linux 9.0
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
Squid Web Proxy Cache 3.0.STABLE7

- 不受影响的程序版本

Squid Web Proxy Cache 2.5 .STABLE7
+ Conectiva Linux 10.0
+ Conectiva Linux 9.0
+ Gentoo Linux
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
Squid Web Proxy Cache 3.0.STABLE7

- 漏洞讨论

Squid is prone to a denial-of-service vulnerability in its SNMP ASN.1 parser. SNMP support is not enabled by default as provided by the vendor, but may be enabled by default when Squid is included as a binary application in certain unconfirmed operating systems.

This vulnerability allows remote attackers to crash affected Squid proxies with single UDP datagrams that may be spoofed. Squid will attempt to restart itself automatically, but an attacker sending repeated malicious SNMP packets can effectively deny service to legitimate users.

Squid 2.5-STABLE6 and earlier, as well as 3.0-PRE3-20040702, are reported vulnerable.

- 漏洞利用

An exploit is not required.

- 解决方案

Please see the referenced vendor advisories for more information and fixes.

UPDATE (June 27, 2008): iDefense Labs recently discovered that Squid 3.0 to 3.0.STABLE6 are also vulnerable. The vendor released 3.0.STABLE7 to address the issue. Please see the references for more information.


Squid Web Proxy Cache 3.0.STABLE5

Squid Web Proxy Cache 3.0.STABLE2

Squid Web Proxy Cache 3.0.STABLE3

Squid Web Proxy Cache 3.0.STABLE4

Squid Web Proxy Cache 3.0.STABLE6

Squid Web Proxy Cache 3.0.STABLE1

Squid Web Proxy Cache 2.0 PATCH2

Squid Web Proxy Cache 2.1 PATCH2

Squid Web Proxy Cache 2.3 .STABLE4

Squid Web Proxy Cache 2.3 .STABLE5

Squid Web Proxy Cache 2.4 .STABLE7

Squid Web Proxy Cache 2.4 .STABLE6

Squid Web Proxy Cache 2.4

Squid Web Proxy Cache 2.4 .STABLE2

Squid Web Proxy Cache 2.5 .STABLE4

Squid Web Proxy Cache 2.5 .STABLE6

Squid Web Proxy Cache 2.5 .STABLE1

Squid Web Proxy Cache 2.5 .STABLE3

Squid Web Proxy Cache 2.5 .STABLE5

Squid Web Proxy Cache 3.0 PRE2

Squid Web Proxy Cache 3.0 PRE3

Squid Web Proxy Cache 3.0 PRE1

Squid Web Proxy Cache 3.0

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站