* SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
- debian/patches/CVE-2021-28116.patch: validate packets better in
src/wccp2.cc.
- CVE-2021-28116
-- Marc Deslauriers <email address hidden> Mon, 04 Oct 2021 08:32:25 -0400
I'm trying to understand here how to reproduce this bug. I don't have access to Cisco hardware, and I'm not an expert on WCCP (far from it).
Given the description of the changelog entry above, I would double check to see if your Cisco hardware is properly configured and running the latest version of its firmware/software.
Based on the logs you posted, the following is one of the assertions that is failing on squid:
This means that the packet received by squid don't have the expected type, apparently. This check wasn't here before the patch.
This is another assertion that is failing:
case WCCP2_SECURITY_INFO: Must(!security_info); // <----- THIS ASSERTION HERE SetField(security_info, itemHeader, itemHeader, itemSize, "security definition truncated");
break;
This case statement has been rewritten, and the assertion is now in place there.
In fact, this whole function has been overhauled and is quite different than what it was before this latest squid3 version. I am not sure if what you're seeing is in fact a bug in squid, or is actually squid being more careful regarding what it accepts as WCCP packets.
Either way, I would need a way to reproduce this error locally in order to further investigate it. Could you please provide some help in this regard? It would also be great if could try squid from newer Ubuntu releases to see if you can reproduce this problem.
Thank you for taking the time to file a bug report.
I noticed that the latest update of the squid3 package on Bionic was a security fix that touched exactly the WCCP code:
squid3 (3.5.27- 1ubuntu1. 12) bionic-security; urgency=medium
* SECURITY UPDATE: information disclosure via OOB read in WCCP protocol patches/ CVE-2021- 28116.patch: validate packets better in
- debian/
src/wccp2.cc.
- CVE-2021-28116
-- Marc Deslauriers <email address hidden> Mon, 04 Oct 2021 08:32:25 -0400
I'm trying to understand here how to reproduce this bug. I don't have access to Cisco hardware, and I'm not an expert on WCCP (far from it).
Given the description of the changelog entry above, I would double check to see if your Cisco hardware is properly configured and running the latest version of its firmware/software.
Based on the logs you posted, the following is one of the assertions that is failing on squid:
Must( ntohl(wccp2_ i_see_you. type) == WCCP2_I_SEE_YOU);
This means that the packet received by squid don't have the expected type, apparently. This check wasn't here before the patch.
This is another assertion that is failing:
case WCCP2_SECURITY_ INFO:
Must( !security_ info); // <----- THIS ASSERTION HERE
SetField( security_ info, itemHeader, itemHeader, itemSize,
"security definition truncated");
break;
This case statement has been rewritten, and the assertion is now in place there.
In fact, this whole function has been overhauled and is quite different than what it was before this latest squid3 version. I am not sure if what you're seeing is in fact a bug in squid, or is actually squid being more careful regarding what it accepts as WCCP packets.
Either way, I would need a way to reproduce this error locally in order to further investigate it. Could you please provide some help in this regard? It would also be great if could try squid from newer Ubuntu releases to see if you can reproduce this problem.
I am setting this as Incomplete for now.