Squid Cache DNS Lookup Spoofing Vulnerability

Mailman List Mirror (Read Only)
1

Given the recent attention to all matters of DNS cache
poisoning (real or imagined), I figured this item might
of interest to the list. I know there's a lot of Squid
Caches out there...

- ferg

[snip]

Via Secunia:
http://secunia.com/advisories/15294/

Secunia Advisory: SA15294
Release Date: 2005-05-11
Impact: Spoofing
Where: From local network
Solution Status: Vendor Patch
Software: Squid 2.x

Description:
A vulnerability has been reported in Squid, which can
be exploited by malicious people to spoof DNS lookups.

The vulnerability is caused due to an unspecified
error in the DNS client when handling DNS responses
and can be exploited to spoof DNS lookups.

The vulnerability has been reported in version 2.5
and prior.

Solution:
Apply patch for version 2.5.STABLE9:
http://www.squid-cache.org/Versi...id-2.5.STABLE9-dns_query-2.patch

Original Advisory:
http://www.squid-cache.org/Versi...ugs/#squid-2.5.STABLE9-dns_query

[snip]

2

Description:
A vulnerability has been reported in Squid, which can
be exploited by malicious people to spoof DNS lookups.

The vulnerability is caused due to an unspecified
error in the DNS client when handling DNS responses
and can be exploited to spoof DNS lookups.

The Squid description offers slightly more details:

Malicious users may spoof DNS lookups if the DNS client UDP port
(random, assigned by OS at startup) is unfiltered and your network is
not protected from IP spoofing.

<Squid-2.5 Patches;

This probably means that it's not possible to exploit this in a
scalable way, just by manipulating authoritative name server replies.
Most stub resolvers suffer from similar problems. Sometimes this is
an explicit design decision (to keep the code as simple as possible).
It's also not completely fixable because the DNS protocol requires a
16-bit message ID.