Comment 1 for bug 1952158

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thank you for taking the time to file a bug report.

I noticed that the latest update of the squid3 package on Bionic was a security fix that touched exactly the WCCP code:

squid3 (3.5.27-1ubuntu1.12) bionic-security; urgency=medium

  * SECURITY UPDATE: information disclosure via OOB read in WCCP protocol
    - debian/patches/CVE-2021-28116.patch: validate packets better in
      src/wccp2.cc.
    - CVE-2021-28116

 -- Marc Deslauriers <email address hidden> Mon, 04 Oct 2021 08:32:25 -0400

I'm trying to understand here how to reproduce this bug. I don't have access to Cisco hardware, and I'm not an expert on WCCP (far from it).

Given the description of the changelog entry above, I would double check to see if your Cisco hardware is properly configured and running the latest version of its firmware/software.

Based on the logs you posted, the following is one of the assertions that is failing on squid:

  Must(ntohl(wccp2_i_see_you.type) == WCCP2_I_SEE_YOU);

This means that the packet received by squid don't have the expected type, apparently. This check wasn't here before the patch.

This is another assertion that is failing:

         case WCCP2_SECURITY_INFO:
             Must(!security_info); // <----- THIS ASSERTION HERE
             SetField(security_info, itemHeader, itemHeader, itemSize,
                      "security definition truncated");
             break;

This case statement has been rewritten, and the assertion is now in place there.

In fact, this whole function has been overhauled and is quite different than what it was before this latest squid3 version. I am not sure if what you're seeing is in fact a bug in squid, or is actually squid being more careful regarding what it accepts as WCCP packets.

Either way, I would need a way to reproduce this error locally in order to further investigate it. Could you please provide some help in this regard? It would also be great if could try squid from newer Ubuntu releases to see if you can reproduce this problem.

I am setting this as Incomplete for now.