Short Name |
HTTP:PROXY:SQUID-NTLM-OF |
---|---|
Severity |
Major |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
Squid NTLM Authentication Overflow |
Release Date |
2004/06/23 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects attempts to exploit a known vulnerability against Squid Web Proxy, a free Web proxy cache for UNIX systems. Squid Proxy Web Cache 2.5 STABLE6 or 3.0 PRE3 and earlier versions are vulnerable. Attackers can send excessively large NTLM proxy authentication messages to the Squid Web Proxy to overflow the buffer and execute arbitrary code with Proxy privileges (typically a dedicated user). Other proxy servers (including Squid after 2.5 STABLE6 or 3.0 PRE3) support long NTLM without error. You should only use this Attack Object to protect Squid servers 2.5 STABLE5 and earlier, otherwise, this Attack Object will generate considerable non-attack alerts.
Squid is reported to be susceptible to a denial of service vulnerability in its NTLM authentication module. This vulnerability presents itself when attacker supplied input data is passed to the affected NTLM module without proper sanitization. This vulnerability allows an attacker to crash the NTLM helper application. Squid will respawn new helper applications, but with a sustained, repeating attack, it is likely that proxy authentication depending on the NTLM helper application would fail. Failure of NTLM authentication would result in the Squid application denying access to legitimate users of the proxy. Squid versions 2.x and 3.x are all reported to be vulnerable to this issue. A patch is available from the vendor.