Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 HTTP:PROXY:SQUID-NTLM-OF

Severity

 High

Recommended

 No

Recommended Action

 Drop

Category

 HTTP

Keywords

 Squid NTLM Authentication Overflow

Release Date

 2004/06/23

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: Squid NTLM Authentication Overflow


This signature detects attempts to exploit a known vulnerability against Squid Web Proxy, a free Web proxy cache for UNIX systems. Squid Proxy Web Cache 2.5 STABLE6 or 3.0 PRE3 and earlier versions are vulnerable. Attackers can send excessively large NTLM proxy authentication messages to the Squid Web Proxy to overflow the buffer and execute arbitrary code with Proxy privileges (typically a dedicated user). Other proxy servers (including Squid after 2.5 STABLE6 or 3.0 PRE3) support long NTLM without error. You should only use this Attack Object to protect Squid servers 2.5 STABLE5 and earlier, otherwise, this Attack Object will generate considerable non-attack alerts.

Extended Description

Squid is reported to be susceptible to a denial of service vulnerability in its NTLM authentication module. This vulnerability presents itself when attacker supplied input data is passed to the affected NTLM module without proper sanitization. This vulnerability allows an attacker to crash the NTLM helper application. Squid will respawn new helper applications, but with a sustained, repeating attack, it is likely that proxy authentication depending on the NTLM helper application would fail. Failure of NTLM authentication would result in the Squid application denying access to legitimate users of the proxy. Squid versions 2.x and 3.x are all reported to be vulnerable to this issue. A patch is available from the vendor.

Affected Products

  • Gentoo Linux 1.4.0
  • Mandriva Linux Mandrake 10.0.0
  • Mandriva Linux Mandrake 10.0.0 amd64
  • Mandriva Linux Mandrake 9.2.0
  • Mandriva Linux Mandrake 9.2.0 amd64
  • Red Hat Fedora Core1
  • Red Hat Fedora Core2
  • Red Hat Linux 7.3.0 I386
  • Red Hat Linux 9.0.0 I386
  • Squid Web Proxy Cache 2.0.0 PATCH2
  • Squid Web Proxy Cache 2.1.0 PATCH2
  • Squid Web Proxy Cache 2.3.0 .STABLE5
  • Squid Web Proxy Cache 2.4.0
  • Squid Web Proxy Cache 2.4.0 .STABLE7
  • Squid Web Proxy Cache 2.5.0 .STABLE1
  • Squid Web Proxy Cache 2.5.0 .STABLE3
  • Squid Web Proxy Cache 2.5.0 .STABLE4
  • Squid Web Proxy Cache 2.5.0 .STABLE5
  • Squid Web Proxy Cache 2.5.0 .STABLE6
  • Squid Web Proxy Cache 3.0.0 PRE1
  • Squid Web Proxy Cache 3.0.0 PRE2
  • Squid Web Proxy Cache 3.0.0 PRE3
  • Trustix Secure Enterprise Linux 2.0.0
  • Trustix Secure Linux 2.0.0
  • Trustix Secure Linux 2.1.0
  • Ubuntu Ubuntu Linux 4.1.0 Ia32
  • Ubuntu Ubuntu Linux 4.1.0 Ia64
  • Ubuntu Ubuntu Linux 4.1.0 Ppc

References

  • BugTraq: 14977
  • BugTraq: 11098
  • CVE: CVE-2005-0097
  • CVE: CVE-2004-0541
  • CVE: CVE-2005-2917
  • URL: http://www.ciac.org/ciac/bulletins/o-168.shtml
  • URL: http://www.us-cert.gov/cas/bulletins/SB04-315.html

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out