Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Squid WCCP Message Parsing Denial Of Service


Check Point Reference: CPAI-2005-190
Date Published:
Last Updated:
Source: Secunia Advisory: SA13825
Industry Reference(s): CVE-2005-0095
Protection Provided by: Security Gateway
  • R75
Who is Vulnerable?
Squid Project Squid Web Proxy Cache 2.5-STABLE7 and earlier
Vulnerability Description
Squid is a full featured, open source web proxy caching server. It supports the proxying of a variety of protocols including FTP, Gopher, and HTTP. It also supports the distribution of cached objects through the Web Cache Communication Protocol (WCCP).
Vulnerability Details
A vulnerability exists in the way the Squid web proxy/cache parses a Web Cache Communication Protocol (WCCP) message. A specially crafted WCCP I_SEE_YOU message can trigger a memory access exception. This flaw can be exploited to terminate the vulnerable product, creating a denial of service condition.
In most cases, upon receiving an attack, a Squid proxy will continue without change to its functionality since the invalid web cache field will not trigger a memory read exception. As noted in section 4.1, "Technical Mechanism", an access violation will only occur if the section of memory following the vulnerable array does not contain an integer value less than the IP address of the Squid server.
However, in cases where an unmapped section of memory is encounter before a small integer value, the process will terminate on a read access error, causing a denial of service.
As noted in section 4.1, "Technical Mechanism", the mitigation of this vulnerability will occur in the majority of cases for operating systems supporting the ELF, AOUT or PE executable file format. For operating systems that use a different file format and program image layout, or for the rare case where a non-standard compiler is used, the mitigation factor may not exist. In such a case, an attacker can exploit this flaw to terminate the vulnerable product, creating a denial of service condition.

Protection Overview
This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R75

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Application Intelligence > Proxy Server Protections.
2. In the right pane, double-click the Squid WCCP Message Parsing Denial Of Service protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Proxy Server Enforcement Violation
Attack Information: Squid WCCP message parsing denial of service