The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a denial of service (server restart) via certain SNMP packets with negative length fields that trigger a memory allocation error.

The Squid-2.5 patches page notes :

If a certain malformed SNMP request is received squid restarts with a Segmentation Fault error.

This only affects squid installations where SNMP is explicitly enabled via 'make config'. As a workaround, SNMP can be disabled by defining 'snmp_port 0' in squid.conf.

Squid security advisory SQUID-2008:1 explains that Squid-3 versions up to and including Squid-3.0.STABLE6 are affected by this error, too.

CVE-2004-0918 Squid SNMP DoS

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Recently, two Denial of Service vulnerabilities have been discovered in squid, a WWW proxy cache. Insufficient input validation in the NTLM authentication handler allowed a remote attacker to crash the service by sending a specially crafted NTLMSSP packet. Likewise, due to an insufficient validation of ASN.1 headers, a remote attacker could restart the server (causing all open connections to be dropped) by sending certain SNMP packets with negative length fields.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several security vulnerabilities have been discovered in Squid, the internet object cache, the popular WWW proxy cache. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-1999-0710     It is possible to bypass access lists and scan arbitrary     hosts and ports in the network through cachemgr.cgi,     which is installed by default. This update disables this     feature and introduces a configuration file     (/etc/squid/cachemgr.conf) to control this behavior.

  - CAN-2004-0918

    The asn_parse_header function (asn1.c) in the SNMP     module for Squid allows remote attackers to cause a     denial of service via certain SNMP packets with negative     length fields that causes a memory allocation error.

iDEFENSE discovered a Denial of Service vulnerability in squid version 2.5.STABLE6 and previous. The problem is due to an ASN1 parsing error where certain header length combinations can slip through the validations performed by the ASN1 parser, leading to the server assuming there is heap corruption or some other exceptional condition, and closing all current connections then restarting.

Squid 2.5.STABLE7 has been released to address this issue; the provided packages are patched to fix the issue.

An updated squid package that fixes a remote denial of service vulnerability is now available.

Squid is a full-featured Web proxy cache.

iDEFENSE reported a flaw in the squid SNMP module. This flaw could allow an attacker who has the ability to send arbitrary packets to the SNMP port to restart the server, causing it to drop all open connections. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0918 to this issue.

All users of squid should update to this erratum package, which contains a backport of the security fix for this vulnerability.

The remote host is affected by the vulnerability described in GLSA-200410-15 (Squid: Remote DoS vulnerability)

    A parsing error exists in the SNMP module of Squid where a     specially crafted UDP packet can potentially cause the server to     restart, closing all current connections. This vulnerability only     exists in versions of Squid compiled with the 'snmp' USE flag.
  Impact :

    An attacker can repeatedly send these malicious UDP packets to the     Squid server, leading to a denial of service.
  Workaround :

    Disable SNMP support or filter the port that has SNMP processing     (default is 3401) to allow only SNMP data from trusted hosts.
    To disable SNMP support put the entry snmp_port 0 in the squid.conf     configuration file.
    To allow only the local interface to process SNMP, add the entry     'snmp_incoming_address 127.0.0.1' in the squid.conf configuration file.

The remote Squid caching proxy, according to its version number, may be vulnerable to a remote denial of service.

This flaw is caused due to an input validation error in the SNMP module.

An attacker can exploit this flaw to crash the server with a specially crafted UDP packet. 

The remote Squid caching proxy, according to its version number, may be vulnerable to a remote denial of service attack.

This flaw is caused due to an input validation error in the SNMP module, and exploitation requires that Squid not only was built to support it but also configured to use it.

An attacker can exploit this flaw to crash the server with a specially crafted UDP packet.

Note that Nessus reports this vulnerability using only the version number in Squid's banner, so this might be a false positive.

The remote Squid caching proxy, according to its version number, may be vulnerable to a remote denial of service.

This flaw is caused due to an input validation error in the SNMP module.

An attacker can exploit this flaw to crash the server with a specially crafted UDP packet.

ID	Name	Product	Family	Severity
36251	FreeBSD : squid -- SNMP module denial-of-service vulnerability (65e99f52-1c5f-11d9-bc4a-000c41e2cdad)	Nessus	FreeBSD Local Security Checks	medium
33410	Fedora 9 : squid-3.0.STABLE7-1.fc9 (2008-6045)	Nessus	Fedora Local Security Checks	medium
20602	Ubuntu 4.10 : squid vulnerabilities (USN-19-1)	Nessus	Ubuntu Local Security Checks	medium
15674	Debian DSA-576-1 : squid - several vulnerabilities	Nessus	Debian Local Security Checks	high
15547	Mandrake Linux Security Advisory : squid (MDKSA-2004:112)	Nessus	Mandriva Local Security Checks	medium
15533	RHEL 2.1 / 3 : squid (RHSA-2004:591)	Nessus	Red Hat Local Security Checks	medium
15512	GLSA-200410-15 : Squid: Remote DoS vulnerability	Nessus	Gentoo Local Security Checks	medium
2363	Squid < 2.5.STABLE7 SNMP ASN.1 Parser Remote DoS	Nessus Network Monitor	Web Servers	medium
15463	Squid SNMP Module asn_parse_header() Function Remote DoS	Nessus	Firewalls	medium
801038	Squid < 2.5.STABLE7 SNMP ASN.1 Parser Remote DoS	Log Correlation Engine	Web Servers	medium

Detections

Analytics

CVE-2004-0918

high

Tenable Plugins

medium

medium

medium

high

medium

medium

medium

medium

medium

medium