Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

This site is deprecated. Please CLICK HERE for latest updates

Short Name

 HTTP:PROXY:SQUID-NTLM-OF

Severity

 Major

Recommended

 No

Recommended Action

 Drop

Category

 HTTP

Keywords

 Squid NTLM Authentication Overflow

Release Date

 2004/06/23

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+

HTTP: Squid NTLM Authentication Overflow


This signature detects attempts to exploit a known vulnerability against Squid Web Proxy, a free Web proxy cache for UNIX systems. Squid Proxy Web Cache 2.5 STABLE6 or 3.0 PRE3 and earlier versions are vulnerable. Attackers can send excessively large NTLM proxy authentication messages to the Squid Web Proxy to overflow the buffer and execute arbitrary code with Proxy privileges (typically a dedicated user). Other proxy servers (including Squid after 2.5 STABLE6 or 3.0 PRE3) support long NTLM without error. You should only use this Attack Object to protect Squid servers 2.5 STABLE5 and earlier, otherwise, this Attack Object will generate considerable non-attack alerts.

Extended Description

Squid is reported to be susceptible to a denial of service vulnerability in its NTLM authentication module. This vulnerability presents itself when attacker supplied input data is passed to the affected NTLM module without proper sanitization. This vulnerability allows an attacker to crash the NTLM helper application. Squid will respawn new helper applications, but with a sustained, repeating attack, it is likely that proxy authentication depending on the NTLM helper application would fail. Failure of NTLM authentication would result in the Squid application denying access to legitimate users of the proxy. Squid versions 2.x and 3.x are all reported to be vulnerable to this issue. A patch is available from the vendor.

Affected Products

  • Gentoo linux 1.4.0
  • Mandriva linux_mandrake 10.0.0
  • Mandriva linux_mandrake 10.0.0 amd64
  • Mandriva linux_mandrake 9.2.0
  • Mandriva linux_mandrake 9.2.0 amd64
  • Red_hat fedora Core1
  • Red_hat fedora Core2
  • Red_hat linux 7.3.0 I386
  • Red_hat linux 9.0.0 I386
  • Squid web_proxy_cache 2.0.0 PATCH2
  • Squid web_proxy_cache 2.1.0 PATCH2
  • Squid web_proxy_cache 2.3.0 .STABLE5
  • Squid web_proxy_cache 2.4.0
  • Squid web_proxy_cache 2.4.0 .STABLE7
  • Squid web_proxy_cache 2.5.0 .STABLE1
  • Squid web_proxy_cache 2.5.0 .STABLE3
  • Squid web_proxy_cache 2.5.0 .STABLE4
  • Squid web_proxy_cache 2.5.0 .STABLE5
  • Squid web_proxy_cache 2.5.0 .STABLE6
  • Squid web_proxy_cache 3.0.0 PRE1
  • Squid web_proxy_cache 3.0.0 PRE2
  • Squid web_proxy_cache 3.0.0 PRE3
  • Trustix secure_enterprise_linux 2.0.0
  • Trustix secure_linux 2.0.0
  • Trustix secure_linux 2.1.0
  • Ubuntu ubuntu_linux 4.1.0 Ia32
  • Ubuntu ubuntu_linux 4.1.0 Ia64
  • Ubuntu ubuntu_linux 4.1.0 Ppc

References

  • BugTraq: 14977
  • BugTraq: 11098
  • CVE: CVE-2004-0541
  • CVE: CVE-2005-2917
  • CVE: CVE-2005-0097
  • URL: http://www.ciac.org/ciac/bulletins/o-168.shtml
  • URL: http://www.us-cert.gov/cas/bulletins/SB04-315.html

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out