[arch-security] [ASA-201505-1] squid: weak certificate validation

Levente Polyak anthraxx at archlinux.org
Fri May 1 22:43:05 UTC 2015 

Arch Linux Security Advisory ASA-201505-1
=========================================

Severity: High
Date    : 2015-05-01
CVE-ID  : CVE-2015-3455
Package : squid
Type    : weak certificate validation
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package squid before version 3.5.4-1 is vulnerable to weak
certificate validation.

Resolution
==========

Upgrade to 3.5.4-1.

# pacman -Syu "squid>=3.5.4-1"

The problem has been fixed upstream in version 3.5.4.

Workaround
==========

Upgrade the squid.conf settings to use a "ssl_bump peek" operation
before the "bump" operation.

NOTE that this workaround does not resolve the vulnerability, but allow
Squid to relay (or mimic) the invalid certificate to clients and depends
on validation in the client.

Alternatively remove from squid.conf (and include'd files) any ssl_bump
directives.

Description
===========

The flaw allows remote servers to bypass client certificate validation.
Some attackers may also be able to use valid certificates for one domain
signed by a global Certificate Authority to abuse an unrelated domain.
However, the bug is exploitable only if you have configured Squid to
perform SSL Bumping with the "client-first" or "bump" mode of operation.
Sites that do not use SSL-Bump are not vulnerable.

Impact
======

A remote attacker is able to bypass client certificate validation, as a
result malicious server responses can wrongly be presented through the
proxy to clients as secure authenticated HTTPS responses.

References
==========

http://www.squid-cache.org/Advisories/SQUID-2015_1.txt
http://www.openwall.com/lists/oss-security/2015/04/30/2
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3455

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150502/824152db/attachment.asc>

More information about the arch-security mailing list