Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Advisory-SVG-CVE-2019-12526"

From EGIWiki
Jump to navigation Jump to search
Line 75: Line 75:
=============================
=============================


Multiple vulnerabilities have been publicly announced affecting all current versions of frontier-squid-3.* and frontier-squid-4.*, including one that potentially permits remote code execution and another that permits bypassing access controls. An upgraded package is being prepared, but meanwhile a workaround is available to block the remote code execution vulnerability. All sites are encouraged to apply the workaround, especially those that are not blocked from the internet by a firewall, and to watch for a further announcement on the availability of a new frontier-squid version.
Multiple vulnerabilities have been publicly announced affecting all current versions of frontier-squid-3.* and  
frontier-squid-4.*, including one that potentially permits remote code execution and another that permits bypassing  
access controls. An upgraded package is being prepared, but meanwhile a workaround is available to block the remote code  
execution vulnerability. All sites are encouraged to apply the workaround, especially those that are not blocked from  
the internet by a firewall, and to watch for a further announcement on the availability of a new frontier-squid version.


IMPACTED VERSIONS:
IMPACTED VERSIONS:
Line 84: Line 88:
WHAT ARE THE VULNERABILITIES:
WHAT ARE THE VULNERABILITIES:


Vulnerability SQUID-2019:7 [1] describes a potential heap overflow in the URN (Universal Resource Name) handling code that can potentially lead to remote code execution or crash. This feature is not used by OSG clients but is enabled by default. A workaround to disable it is below.
Vulnerability SQUID-2019:7 [1] describes a potential heap overflow in the URN (Universal Resource Name) handling code  
that can potentially lead to remote code execution or crash. This feature is not used by OSG clients but is enabled by  
default. A workaround to disable it is below.


Vulnerability SQUID-2019:8 [2] describes several issues with URI (Universal Resource Identifier) processing that permit remote clients to bypass access controls or deny service to other clients. It discusses a workaround for a third issue enabling access to manager services, but that workaround is already in place by default.
Vulnerability SQUID-2019:8 [2] describes several issues with URI (Universal Resource Identifier) processing that permit  
remote clients to bypass access controls or deny service to other clients. It discusses a workaround for a third issue  
enabling access to manager services, but that workaround is already in place by default.


Three other vulnerabilities were announced at the same time but they are not applicable to the OSG.
Three other vulnerabilities were announced at the same time but they are not applicable to the OSG.
Line 174: Line 182:
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"


The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 6]  in the context of how the
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 6]   
software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct.  
in the context of how thesoftware is used in the EGI infrastructure.  
It is the opinion of the group, we do not guarantee it to be correct.  
The risk may also be higher or lower in other deployments depending on how the software is used.   
The risk may also be higher or lower in other deployments depending on how the software is used.   


Line 186: Line 195:
Also in this case if re-using the OSG information please credit OSG.  
Also in this case if re-using the OSG information please credit OSG.  


Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.
Note that the SVG issue handling procedure is currently under review, to take account of the increasing  
inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.


On behalf of the EGI SVG,
On behalf of the EGI SVG,

Revision as of 14:46, 2 December 2019

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-CVE-2019-12526



Title:       EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] HIGH risk Vulnerabilities in Squid CVE-2019-12526,  
             CVE-2019-12523 and others [EGI-SVG-CVE-12526]  

Date:        2019-11-13
Updated:     2019-12-02  Updated Version of Frontier Squid available in EGI UMD.


Affected software and risk
==========================

HIGH risk vulnerabilities concerning Squid.

Package : Squid
CVE ID  : CVE-2019-12526, CVE-2019-12523

Several security issues have been found in Squid which have been announced by the squid team and fixed in release  
4.9 [R 1] 

EGI SVG considers a couple of these vulnerabilities to be 'HIGH' risk with the potential of being elevated to 
'CRITICAL' in combination with others.

The ones we consider most serious are [R 2] and [R 3]. 

Many sites in EGI will be using frontier-squid (e.g. from the UMD) instead of the squid version directly available from 
RHEL / CentOS.  

**UPDATE 2019-12-02**

The version of frontier-squid with these vulnerabilities fixed is now available in the EGI UMD.

We also remind sites of setting the Squid host firewall rules and the Squid network ACLs as tightly as possible.

Actions required/recommended
============================

**UPDATE 2019-12-02**

Sites are recommended to install a non-vulnerable version of Squid, urgently if they have not yet taken mitigating 
action after the previous advisory.
 
Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 
Sites using the EGI UMD 4 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-4/

The fixed version of Squid is part of the UMD-4.9.0 release.

http://repository.egi.eu/2019/11/26/release-umd-4-9-0/

The fixed version is available from the Squid team [R 1] 

frontier-squid-4.9-2.1 has been released in the CERN distribution [R 4] 

Other Mitigating action
=======================

For those using squid directly from Red Hat or CentOS, note that Red Hat is not planning to apply all of the patches.  
They are recommending a permanent mitigating action for CVE-2019-12526 [R 5] of the following configuration lines:

	acl URN proto URN
	http_access deny URN



OSG Security team information
=============================

Multiple vulnerabilities have been publicly announced affecting all current versions of frontier-squid-3.* and 
frontier-squid-4.*, including one that potentially permits remote code execution and another that permits bypassing 
access controls. An upgraded package is being prepared, but meanwhile a workaround is available to block the remote code 
execution vulnerability. All sites are encouraged to apply the workaround, especially those that are not blocked from 
the internet by a firewall, and to watch for a further announcement on the availability of a new frontier-squid version.

IMPACTED VERSIONS:

All frontier-squid-3.* and frontier-squid-4.* versions through frontier-squid-4.8-2.1. 
frontier-squid-2.* versions don't have these vulnerabilities but they are deprecated.

WHAT ARE THE VULNERABILITIES:

Vulnerability SQUID-2019:7 [1] describes a potential heap overflow in the URN (Universal Resource Name) handling code 
that can potentially lead to remote code execution or crash. This feature is not used by OSG clients but is enabled by 
default. A workaround to disable it is below.

Vulnerability SQUID-2019:8 [2] describes several issues with URI (Universal Resource Identifier) processing that permit 
remote clients to bypass access controls or deny service to other clients. It discusses a workaround for a third issue 
enabling access to manager services, but that workaround is already in place by default.

Three other vulnerabilities were announced at the same time but they are not applicable to the OSG.

WHAT YOU SHOULD DO:

Add these lines to /etc/squid/customize.sh and restart the frontier-squid service, especially if your squid is accessible to the internet:

insertline("# INSERT YOUR OWN RULE", "acl URN proto URN")

insertline("# INSERT YOUR OWN RULE", "http_access deny URN")

Watch for a followup announcement of the availability of frontier-squid-4.9.

REFERENCES

[1] http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
[2] http://www.squid-cache.org/Advisories/SQUID-2019_8.txt

Please contact the OSG security team at security@opensciencegrid.org if you have any questions or concerns. 

OSG Security Team



TLP and URL
===========

** WHITE information - Unlimited distribution 
  - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **   

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2019-12526    

Minor updates may be made without re-distribution to the sites


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 6]  

Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. 


References
==========

[R 1] http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-announce-Squid-4-9-is-available-td4688506.html

[R 2] http://www.squid-cache.org/Advisories/SQUID-2019_7.txt

[R 3] http://www.squid-cache.org/Advisories/SQUID-2019_8.txt

[R 4] https://twiki.cern.ch/twiki/bin/view/Frontier/InstallSquid

[R 5] https://access.redhat.com/security/cve/CVE-2019-12526

[R 6] https://documents.egi.eu/public/ShowDocument?docid=3145

Credit
======

SVG was alerted to this vulnerability by Dave Dykstra from the OSG security team.

Information provided by Dave Dykstra and Mike Stanfield and the OSG security team. 

Timeline  
========
Yyyy-mm-dd  [EGI-SVG-2019-CVE-2019-12526] 

2019-11-08 SVG alerted to this issue by Dave Dykstra after announcement by Squid team
2019-11-11 Investigation of vulnerability and relevance to EGI carried out 
2019-11-12 EGI SVG Risk Assessment completed
2019-11-13 Advisory sent to sites
2019-12-02 Advisory updated as fixed version is in UMD 4.9.0 and set to [WHITE]

Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 6]  
in the context of how thesoftware is used in the EGI infrastructure. 
It is the opinion of the group, we do not guarantee it to be correct. 
The risk may also be higher or lower in other deployments depending on how the software is used.   

Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group

Also in this case if re-using the OSG information please credit OSG. 

Note that the SVG issue handling procedure is currently under review, to take account of the increasing 
inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.

On behalf of the EGI SVG,