CVE-2014-7141
published 2014-11-26CVE-2014-7141: The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a…
PriorityP346medium6.4CVSS 2.0
AVNACLAuNCPINAP
EPSS
76.06%
99.5th percentile
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.
Affected
85 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 4.1-1 (bookworm) | squid 4.1-1 (bookworm) |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by a crafted ICMP type value in an ICMPv6 packet; the type value is ANDed with 0x7f (limiting it to 0–127) and used as an out-of-bounds array index into icmp6HighPktStr[] (33 entries) or icmp6LowPktStr[] (10 entries) — monitor for anomalous ICMP/ICMPv6 packets with unusual type values directed at Squid pinger. ↗
- →ICMPv4 handling in the pinger is also affected: icmpPktStr[] has only 18 entries but the 8-bit icmp_type from the received packet is used as an index without validation, allowing overread of up to (256-18)*sizeof(char*) — detect crafted ICMPv4 replies with type values ≥ 18 sent to the Squid pinger process. ↗
- →Only the 'pinger' sub-process of Squid is affected, not the main Squid process; focus crash/DoS detection on the pinger child process rather than the main squid daemon. ↗
- ·Squid packages shipped with Red Hat Enterprise Linux 5, 6, and 7 (and Fedora) do not build or include the 'pinger' program, so those deployments are not affected even though the vulnerable source code is present. ↗
- ·The vulnerability was introduced in Squid 3.x; Squid 2.x (shipped with RHEL 5 and earlier) is not affected by the ICMPv6 variant (CVE-2014-7141), though the ICMPv4 OOB read does exist in Squid 2.x. ↗
- ·The fix for CVE-2014-7141 is in upstream revision 13583; the same commit also fixes the related CVE-2014-7142 (integer underflow in ICMP reply size computation). ↗
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv6.4MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2014-11-25
CVE-2014-7141 Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Squid could be made to crash if it received specially crafted network
traffic.
Sebastian Krahmer discovered that the Squid pinger incorrectly handled
certain malformed ICMP packets. A remote attacker could possibly use this
issue to cause Squid to crash, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
squid: pinger OOB array index flaw in handling of ICMP replies (SQUID-2014:4)
vendor_redhat·2014-09-09·CVSS 6.4
CVE-2014-7141 [MEDIUM] CWE-129 squid: pinger OOB array index flaw in handling of ICMP replies (SQUID-2014:4)
squid: pinger OOB array index flaw in handling of ICMP replies (SQUID-2014:4)
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.
Statement: This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not provide the vulnerable program "pinger".
Package: squid (Red Hat Enterprise Linux 4) - Not affected
Package: squid (Red Hat Enterprise Linux 5) - Not affected
Package: squid (Red Hat Enterprise Linux 6) - Not affected
Package: squid (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2014-7141: squid - The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive...
vendor_debian·2014·CVSS 6.4
CVE-2014-7141 [MEDIUM] CVE-2014-7141: squid - The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive...
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.
Scope: local
bookworm: resolved (fixed in 4.1-1)
bullseye: resolved (fixed in 4.1-1)
forky: resolved (fixed in 4.1-1)
sid: resolved (fixed in 4.1-1)
trixie: resolved (fixed in 4.1-1)
GHSA
GHSA-2vjp-6qwj-v6m6: The pinger in Squid 3
ghsa_unreviewed·2022-05-17
CVE-2014-7141 [MEDIUM] GHSA-2vjp-6qwj-v6m6: The pinger in Squid 3
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.
OSV
CVE-2014-7141: The pinger in Squid 3
osv·2014-11-26·CVSS 6.4
CVE-2014-7141 [MEDIUM] CVE-2014-7141: The pinger in Squid 3
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-7142 squid: pinger incorrect input validation flaw in handling of ICMP replies (SQUID-2014:4)
bugzilla·2014-10-02·CVSS 6.4
CVE-2014-7142 [MEDIUM] CVE-2014-7142 squid: pinger incorrect input validation flaw in handling of ICMP replies (SQUID-2014:4)
CVE-2014-7142 squid: pinger incorrect input validation flaw in handling of ICMP replies (SQUID-2014:4)
Another flaw was reported in the Squid pinger program due to incorrect input validation. This could be used to cause a Denial of Service or information leak when the pinger program processes ICMP or ICMPv6 packets.
While this problem exists in the source code of squid packages as shipped with Red Hat Enterprise Linux 6 and 7, as well as current Fedora releases, the program itself is not built.
Statement:
This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not provide the vulnerable program "pinger".
External References:
http://www.squid-cache.org/Advisories/SQUID-2014_4.txt
Discussion:
Upstream commit:
http://bazaar.la
Bugzilla
CVE-2014-7141 squid: pinger OOB array index flaw in handling of ICMP replies (SQUID-2014:4)
bugzilla·2014-09-09·CVSS 6.4
CVE-2014-7141 [MEDIUM] CVE-2014-7141 squid: pinger OOB array index flaw in handling of ICMP replies (SQUID-2014:4)
CVE-2014-7141 squid: pinger OOB array index flaw in handling of ICMP replies (SQUID-2014:4)
It was discovered [1] that pinger code that checks for nodes being alive doesn't
properly validate ICMP and ICMPv6 replies, in particular icmp6 types which are used to index into a string array. This could cause crashes when the index is OOB.
CVE reuqested at [1] too, and a patch is available at [2].
It looks like you can only DoS the pinger sub-system, not the whole squid though.
[1]: http://seclists.org/oss-sec/2014/q3/539
[2]: https://bugzilla.novell.com/show_bug.cgi?id=891268
Discussion:
Created squid tracking bugs for this issue:
Affects: fedora-all [bug 1139721]
---
This issue affects handling of ICMPv6 replies. The code uses an ICMP type value from the received packet, ands the value
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlhttp://seclists.org/oss-sec/2014/q3/539http://seclists.org/oss-sec/2014/q3/612http://seclists.org/oss-sec/2014/q3/626http://secunia.com/advisories/60242http://ubuntu.com/usn/usn-2422-1http://www.securityfocus.com/bid/69688http://www.squid-cache.org/Advisories/SQUID-2014_4.txthttps://bugzilla.novell.com/show_bug.cgi?id=891268http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlhttp://seclists.org/oss-sec/2014/q3/539http://seclists.org/oss-sec/2014/q3/612http://seclists.org/oss-sec/2014/q3/626http://secunia.com/advisories/60242http://ubuntu.com/usn/usn-2422-1http://www.securityfocus.com/bid/69688http://www.squid-cache.org/Advisories/SQUID-2014_4.txthttps://bugzilla.novell.com/show_bug.cgi?id=891268
2014-11-26
Published