Signature Detail

DNS: Squid Proxy Malformed DNS Pointer Response DoS

This signature detects attempts to exploit a known vulnerability in the open-source Squid HTTP proxy. When Squid looks up a domain name in DNS for a connection to proxy, a malicious DNS server can return a malformed DNS response to crash Squid. Attackers can send a URL to users, enticing them to visit the Web page (or other Internet resource) through the user's proxy. When a user attempts to view the resource, the malicious DNS server sends the malformed packet and crashes the proxy server.

Extended Description

A remote denial-of-service vulnerability is reported to exist in Squid. The issue is reported to present itself when the affected server performs a Fully Qualify Domain Name (FQDN) lookup and receives an unexpected response. The vendor reports that under the above circumstances, the affected service will crash due to an assertion error, effectively denying service to legitimate users.

Affected Products

• Red_hat advanced_workstation_for_the_itanium_processor 2.1.0
• Red_hat advanced_workstation_for_the_itanium_processor 2.1.0 IA64
• Red_hat application_server_ws 3
• Red_hat enterprise_linux_as 2.1
• Red_hat enterprise_linux_as 2.1 IA64
• Red_hat enterprise_linux_es 2.1
• Red_hat enterprise_linux_es 2.1 IA64
• Red_hat fedora Core1
• Red_hat fedora Core2
• Red_hat linux 7.3.0 I386
• Red_hat linux 9.0.0 I386
• Sgi propack 3.0.0
• Squid web_proxy_cache 2.5.0 .STABLE1
• Squid web_proxy_cache 2.5.0 .STABLE3
• Squid web_proxy_cache 2.5.0 .STABLE4
• Squid web_proxy_cache 2.5.0 .STABLE5
• Squid web_proxy_cache 2.5.0 .STABLE6
• Squid web_proxy_cache 2.5.0 .STABLE7
• Squid web_proxy_cache 2.5.0 .STABLE8
• Ubuntu ubuntu_linux 4.1.0 Ia32
• Ubuntu ubuntu_linux 4.1.0 Ia64
• Ubuntu ubuntu_linux 4.1.0 Ppc

References

• BugTraq: 12551
• CVE: CVE-2005-0446
• URL: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE8-dns_assert
• URL: http://www.redhat.com/support/errata/RHSA-2005-201.html