Vigil@nce - Squid cache: access control bypass with CONNECT commands
September 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send a CONNECT command to a Squid cache, for
instance in order to bypass IP filtering.
Impacted products: Debian, Squid.
Severity: 2/4.
Creation date: 07/07/2015.
DESCRIPTION OF THE VULNERABILITY
The Squid cache product is notably an HTTP cache. It be used
cascaded with other proxies.
The HTTP command CONNECT is used to create a direct tunnel between
the end client and the end server. In this case, the cache only
forward TCP data without examining them. This is most often used
to start TLS tunnels. However, Squid does not check whether the
CONNECT command is accepted by the end server or the next cache.
When it is rejected, Squid continues to relay TCP data and so make
the server believe that it communicates with an ordinary client
the IP address of which is the one of the Squid host.
An attacker can therefore send a CONNECT command to a Squid cache,
for instance in order to bypass IP filtering.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Squid-cache-access-control-bypass-with-CONNECT-commands-17318