Detections
Analytics

Debian DLA-2685-1 : squid3 security update

high Nessus Plugin ID 150796

Language:

Synopsis

The remote Debian host is missing a security update.

Description

Several vulnerabilities were discovered in Squid, a proxy caching server.

CVE-2021-28651

Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.

CVE-2021-28652

Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege.

CVE-2021-31806

Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.

CVE-2021-31807

An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.

CVE-2021-31808

Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.

CVE-2021-33620

Remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.

For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u7.

We recommend that you upgrade your squid3 packages.

For the detailed security status of squid3 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/squid3

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html

https://packages.debian.org/source/stretch/squid3

https://security-tracker.debian.org/tracker/source-package/squid3

Plugin Details

Severity: High

ID: 150796

File Name: debian_DLA-2685.nasl

Version: 1.6

Type: local

Agent: unix

Published: 6/15/2021

Updated: 12/21/2023

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2021-28651

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:squid, p-cpe:/a:debian:debian_linux:squid-cgi, p-cpe:/a:debian:debian_linux:squid-common, p-cpe:/a:debian:debian_linux:squid-dbg, p-cpe:/a:debian:debian_linux:squid-purge, p-cpe:/a:debian:debian_linux:squid3, p-cpe:/a:debian:debian_linux:squidclient, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/14/2021

Vulnerability Publication Date: 5/27/2021

Reference Information

CVE: CVE-2021-28651, CVE-2021-28652, CVE-2021-31806, CVE-2021-31807, CVE-2021-31808, CVE-2021-33620