Headline
CVE-2022-41318: SQUID-2022:2 Buffer Over Read in SSPI and SMB Authentication
A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7.
Due to an incorrect integer overflow protection Squid SSPI and
SMB authentication helpers are vulnerable to a Buffer Overflow
attack.
Severity:
This problem allows a remote client to perform a Denial of
Service attack when Squid is configured to use NTLM or Negotiate
authentication with one of the vulnerable helpers.
This problem allows a remote client to extract sensitive
information from machine memory when Squid is configured to use
NTLM or Negotiate authentication with one of the vulnerable
helpers. The scope of this information includes user credentials
in decrypted forms, and also arbitrary memory areas beyond Squid
and the helper itself.
This attack is limited to authentication helpers built using the
libntlmauth library shipped by Squid.
CVSS Score of 8.2
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:C/MC:X/MI:L/MA:H&version=3.1
Updated Packages:
This bug is fixed by Squid version 5.7.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_2.patch
Squid 5:
http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_2.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
Run this command to view the configured authentication helpers:
(squid -k parse 2>&1) | grep “Processing: auth_param”
Your Squid may be vulnerable if the result contains any of the following:
ntlm_smb_lm_auth
ntlm_sspi_auth
ntlm_fake_auth
negotiate_sspi_auth
All Squid-2.5 up to and including 4.17 have vulnerable helpers.
All Squid-5.x up to and including 5.6 have vulnerable helpers.
Workaround:
Either,
Disable use of the vulnerable authentication scheme.
Or,
Replace the vulnerable helper with an alternative helper for the
same authentication scheme.
Or,
Replace the vulnerable helper binary with one built from an
updated or patched Squid release. The remainder of Squid does not
need updating to fix this.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It’s a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by LWIC.
Fixed by Amos Jeffries of Treehouse Networks Ltd,
based on patch by LWIC.
Revision history:
2019-03-17 14:24:42 UTC Initial Report
2022-08-08 12:16:43 UTC Fix Released
2022-09-23 05:00:00 UTC Advisory Released
END
Related news
Ubuntu Security Notice 6857-1 - Joshua Rogers discovered that Squid incorrectly handled requests with the urn: scheme. A remote attacker could possibly use this issue to cause Squid to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS. It was discovered that Squid incorrectly handled SSPI and SMB authentication. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only affected Ubuntu 16.04 LTS.
Debian Linux Security Advisory 5258-1 - Several vulnerabilities were discovered in Squid, a fully featured web proxy cache, which could result in exposure of sensitive information in the cache manager (CVE-2022-41317), or denial of service or information disclosure if Squid is configured to negotiate authentication with the SSPI and SMB authentication helpers (CVE-2022-41318).
Red Hat Security Advisory 2022-6815-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.
Red Hat Security Advisory 2022-6777-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.
Red Hat Security Advisory 2022-6776-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.
Red Hat Security Advisory 2022-6774-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.
Red Hat Security Advisory 2022-6775-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.
An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41318: squid: buffer-over-read in SSPI and SMB authentication
An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41318: squid: buffer-over-read in SSPI and SMB authentication
An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41318: squid: buffer-over-read in SSPI and SMB authentication
Ubuntu Security Notice 5641-1 - Mikhail Evdokimov discovered that Squid incorrectly handled cache manager ACLs. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that Squid incorrectly handled SSPI and SMB authentication. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly obtain sensitive information.