Bug 1170423 (CVE-2019-12520) - VUL-0: CVE-2019-12520, CVE-2019-12524: squid: Proxy Cache Security Update (SQUID-2019:4)
Summary: VUL-0: CVE-2019-12520, CVE-2019-12524: squid: Proxy Cache Security Update (S...
Status: RESOLVED FIXED
: 1169666 (view as bug list)
Alias: CVE-2019-12520
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Adam Majer
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/257587/
Whiteboard: CVSSv3.1:RedHat:CVE-2019-12520:9.8:(...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-24 10:04 UTC by Alexandros Toptsoglou
Modified: 2020-10-21 09:27 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
squid_sploit.py (21.09 KB, text/plain)
2020-04-24 16:03 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-04-24 10:04:11 UTC 
__________________________________________________________________

    Squid Proxy Cache Security Update Advisory SQUID-2019:4
__________________________________________________________________

Advisory ID:        SQUID-2019:4
Date:               April 18, 2020
Summary:            Multiple Issues
                    in HTTP Request processing.
Affected versions:  Squid 3.5.18 -> 3.5.28
                    Squid 4.0.10 -> 4.7
Fixed in version:   Squid 4.8
__________________________________________________________________

    http://www.squid-cache.org/Advisories/SQUID-2019_4.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12520
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12524
__________________________________________________________________

Problem Description:

 Due to incorrect URL handling Squid is vulnerable to access
 control bypass, cache poisoning and cross-site scripting attacks
 when processing HTTP Request messages.

__________________________________________________________________

Severity:

 A remote client can deliver crafted URLs to bypass cache manager
 security controls and retrieve confidential details about the
 proxy and traffic it is handling.

 A remote client can deliver crafted URLs which cause arbitrary
 content from one origin server to be stored in cache as URLs
 within another origin. This opens a window of opportunity for
 clients to be tricked into fetching and XSS execution of that
 content via side channels.

__________________________________________________________________

Updated Packages:

 This bug is fixed by Squid version 4.8.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:
 <http://www.squid-cache.org/Versions/v4/changesets/SQUID-2019_4.patch>

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated
 packages.

__________________________________________________________________

Determining if your version is vulnerable:

 All Squid-2.x are not vulnerable.

 All Squid-3.x up to and including 3.5.17 are not vulnerable.

 All Squid-3.5.18 up to and including 3.5.28 are vulnerable.

 All Squid-4.x up to and including 4.0.9 are not vulnerable.

 All Squid-4.x up to and including 4.7 without HTTPS support are
 not vulnerable.

 All Squid-4.0.10 up to and including 4.7 with HTTPS support are
 vulnerable.

__________________________________________________________________

Workarounds:

 There are no workarounds for Squid-3.5.

 For Squid-4 build using --without-openssl --without-gnutls


__________________________________________________________________

Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If your install and build Squid from the original Squid sources
 then the squid-users@lists.squid-cache.org mailing list is your
 primary support point. For subscription details see
 <http://www.squid-cache.org/Support/mailing-lists.html>.

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used
 <http://bugs.squid-cache.org/>.

 For reporting of security sensitive bugs send an email to the
 squid-bugs@lists.squid-cache.org mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.

__________________________________________________________________

Credits:

 This vulnerability was discovered by Jeriko One
 <jeriko.one@gmx.us>.

 Fixed by Amos Jeffries of Treehouse Networks Ltd.

__________________________________________________________________

Revision history:

 2019-05-14 14:56:49 UTC Initial Report
 2019-06-23 15:15:56 UTC Patches Released
 2019-06-05 15:52:17 UTC CVE Assignment
__________________________________________________________________
END
Comment 1 Alexandros Toptsoglou 2020-04-24 10:05:15 UTC 
*** Bug 1169666 has been marked as a duplicate of this bug. ***
Comment 2 Alexandros Toptsoglou 2020-04-24 10:48:18 UTC 
ONLY SLE12-SP2 is affected. All the other codestreams are not affected
Comment 3 Marcus Meissner 2020-04-24 16:03:19 UTC 
Created attachment 836733 [details]
squid_sploit.py

QA REPRODUCER:

squid_sploit.py

from researcher. Did not test it out.
Comment 6 Swamp Workflow Management 2020-05-11 09:29:21 UTC 
SUSE-SU-2020:1227-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1169659,1170313,1170423
CVE References: CVE-2019-12519,CVE-2019-12520,CVE-2019-12521,CVE-2019-12524,CVE-2020-11945
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    squid-3.5.21-26.23.1
SUSE OpenStack Cloud 8 (src):    squid-3.5.21-26.23.1
SUSE OpenStack Cloud 7 (src):    squid-3.5.21-26.23.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    squid-3.5.21-26.23.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    squid-3.5.21-26.23.1
SUSE Linux Enterprise Server 12-SP4 (src):    squid-3.5.21-26.23.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    squid-3.5.21-26.23.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    squid-3.5.21-26.23.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    squid-3.5.21-26.23.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    squid-3.5.21-26.23.1
SUSE Enterprise Storage 5 (src):    squid-3.5.21-26.23.1
HPE Helion Openstack 8 (src):    squid-3.5.21-26.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Marcus Meissner 2020-08-04 06:35:33 UTC 
released
Comment 9 Swamp Workflow Management 2020-08-24 16:14:57 UTC 
SUSE-SU-2020:14460-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1140738,1141329,1141332,1156323,1156324,1156326,1156328,1156329,1162687,1162689,1162691,1167373,1169659,1170313,1170423,1173304,1173455
CVE References: CVE-2019-12519,CVE-2019-12520,CVE-2019-12521,CVE-2019-12523,CVE-2019-12524,CVE-2019-12525,CVE-2019-12526,CVE-2019-12528,CVE-2019-12529,CVE-2019-13345,CVE-2019-18676,CVE-2019-18677,CVE-2019-18678,CVE-2019-18679,CVE-2019-18860,CVE-2020-11945,CVE-2020-14059,CVE-2020-15049,CVE-2020-8449,CVE-2020-8450,CVE-2020-8517
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    squid3-3.1.23-8.16.37.12.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    squid3-3.1.23-8.16.37.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    squid3-3.1.23-8.16.37.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.