Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] HIGH risk Vulnerabilities in
Squid CVE-2019-12526, CVE-2019-12523 and others
[EGI-SVG-CVE-2019-12526]
Date: 2019-11-13
Updated: 2019-12-02 Updated Version of Frontier Squid available in EGI UMD.
Updated: 2023-12-06 Included more CVE's and redirections from CVE's and references.
Affected software and risk
==========================
HIGH risk vulnerabilities concerning Squid.
Package : Squid
CVE ID : CVE-2019-12526, CVE-2019-12523, CVE-2019-18676
Several security issues have been found in Squid which have been announced by
the squid team and fixed in release 4.9 [R 1]
EGI SVG considers a couple of these vulnerabilities to be 'HIGH' risk with the
potential of being elevated to 'CRITICAL' in combination with others.
The ones we consider most serious are [R 2] and [R 3].
Many sites in EGI will be using frontier-squid (e.g. from the UMD) instead of
the squid version directly available from RHEL / CentOS.
**UPDATE 2019-12-02**
The version of frontier-squid with these vulnerabilities fixed is now available
in the EGI UMD.
We also remind sites of setting the Squid host firewall rules and the Squid
network ACLs as tightly as possible.
Actions required/recommended
============================
**UPDATE 2019-12-02**
Sites are recommended to install a non-vulnerable version of Squid, urgently if
they have not yet taken mitigating action after the previous advisory.
Component installation information
==================================
The official repository for the distribution of grid middleware for EGI sites is
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
Sites using the EGI UMD 4 should see:
http://repository.egi.eu/category/umd_releases/distribution/umd-4/
The fixed version of Squid is part of the UMD-4.9.0 release.
http://repository.egi.eu/2019/11/26/release-umd-4-9-0/
The fixed version is available from the Squid team [R 1]
frontier-squid-4.9-2.1 has been released in the CERN distribution [R 4]
Other Mitigating action
=======================
For those using squid directly from Red Hat or CentOS, note that Red Hat is not
planning to apply all of the patches.
They are recommending a permanent mitigating action for CVE-2019-12526 [R 5] of
the following configuration lines:
acl URN proto URN
http_access deny URN
OSG Security team information
=============================
Multiple vulnerabilities have been publicly announced affecting all current
versions of frontier-squid-3.* and frontier-squid-4.*, including one that
potentially permits remote code execution and another that permits bypassing
access controls. An upgraded package is being prepared, but meanwhile a
workaround is available to block the remote code execution vulnerability. All
sites are encouraged to apply the workaround, especially those that are not
blocked from the internet by a firewall, and to watch for a further
announcement on the availability of a new frontier-squid version.
IMPACTED VERSIONS:
All frontier-squid-3.* and frontier-squid-4.* versions through
frontier-squid-4.8-2.1. frontier-squid-2.* versions don't have these
vulnerabilities but they are deprecated.
WHAT ARE THE VULNERABILITIES:
Vulnerability SQUID-2019:7 [1] describes a potential heap overflow in the URN
(Universal Resource Name) handling code that can potentially lead to remote
code execution or crash. This feature is not used by OSG clients but is enabled
by default. A workaround to disable it is below.
Vulnerability SQUID-2019:8 [2] describes several issues with URI (Universal
Resource Identifier) processing that permit remote clients to bypass access
controls or deny service to other clients. It discusses a workaround for a
third issue enabling access to manager services, but that workaround is already
in place by default.
Three other vulnerabilities were announced at the same time but they are not
applicable to the OSG.
WHAT YOU SHOULD DO:
Add these lines to /etc/squid/customize.sh and restart the frontier-squid
service, especially if your squid is accessible to the internet:
insertline("# INSERT YOUR OWN RULE", "acl URN proto URN")
insertline("# INSERT YOUR OWN RULE", "http_access deny URN")
Watch for a followup announcement of the availability of frontier-squid-4.9.
REFERENCES
[1] http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
[2] http://www.squid-cache.org/Advisories/SQUID-2019_8.txt
Please contact the OSG security team at security@opensciencegrid.org if you
have any questions or concerns.
OSG Security Team
TLP and URL
===========
** WHITE information - Unlimited distribution
- see https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2019-12526
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 6]
Note that this is undergoing revision to fully handle vulnerabilities in the
EOSC-hub era.
References
==========
[R 1] http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-announce-Squid-4-9-is-available-td4688506.html
[R 2] http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
[R 3] http://www.squid-cache.org/Advisories/SQUID-2019_8.txt
[R 4] https://twiki.cern.ch/twiki/bin/view/Frontier/InstallSquid
[R 5] https://access.redhat.com/security/cve/CVE-2019-12526
[R 6] https://documents.egi.eu/public/ShowDocument?docid=3145
[R 7] https://access.redhat.com/security/cve/CVE-2019-12528
[R 8] https://access.redhat.com/security/cve/CVE-2019-18676
Credit
======
SVG was alerted to this vulnerability by Dave Dykstra from the OSG security
team.
Information provided by Dave Dykstra and Mike Stanfield and the OSG security
team.
Timeline
========
Yyyy-mm-dd [EGI-SVG-2019-CVE-2019-12526]
2019-11-08 SVG alerted to this issue by Dave Dykstra after announcement by
Squid team
2019-11-11 Investigation of vulnerability and relevance to EGI carried out
2019-11-12 EGI SVG Risk Assessment completed
2019-11-13 Advisory sent to sites
2019-12-02 Advisory updated as fixed version is in UMD 4.9.0 and set to [WHITE]
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software
vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 6] in the context of how thesoftware is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending
on how the software is used.
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group
Also in this case if re-using the OSG information please credit OSG.
Note that the SVG issue handling procedure is currently under review, to take
account of the increasing inhomogeneity of the EGI infrastructure and the
services in the EOSC-hub catalogue.
On behalf of the EGI SVG,