Fleximus Blog

  

Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted DNS packets.

Vulnerable versions

Squid still using the obsolete dnsserver are not vulnerable.

The ignore_unknown_nameservers option affects the severity of this vulnerability. When set to "on" (the default) risk is low. When set to "off" the vulnerability risk is increased. All unpatched Squid-3.0 versions up to and including 3.0.STABLE21 are vulnerable. All unpatched Squid-3.1 versions up to and including 3.1.0.15 are vulnerable. All unpatched Squid-2.x versions are vulnerable.

Workarounds

Using all of the following steps are required to protect a vulnerable Squid from this and other forms of DNS attack.

  • Ensuring the ignore_unknown_nameservers is turned on.
  • Ensuring that DNS packets cannot be sent to Squid from untrusted nameservers or other machines.

The most secure implementation of these requirements is to use a nameserver running on the localhost IP dedicated for secure use by Squid and any other services on the Squid machine.

Link to full advisory

http://www.squid-cache.org/Advisories/SQUID-2010_1.txt