Vulnerability CVE-2009-2621 - CERT Civis.Net

Vulnerability Name:

CVE-2009-2621 (CCN-52062)

Assigned:

2009-07-27

Published:

2009-07-27

Updated:

2009-08-12

Summary:

Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not properly enforce "buffer limits and related bound checks," which allows remote attackers to cause a denial of service via (1) an incomplete request or (2) a request with a large header size, related to (a) HttpMsg.cc and (b) client_side.cc.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2009-2621

Source: CCN
Type: SA36007
Squid Multiple Denial of Service Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
36007

Source: CCN
Type: SECTRACK ID: 1022607
Squid Request and Response Processing Bugs Let Remote Users Deny Service

Source: DEBIAN
Type: DSA-1843
squid3 -- several vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2009:161

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2009:178

Source: CCN
Type: OSVDB ID: 56680
Squid HttpMsg.cc / client_side.cc Malformed Request Remote DoS

Source: BID
Type: UNKNOWN
35812

Source: CCN
Type: BID-35812
Squid Multiple Remote Denial of Service Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1022607

Source: CCN
Type: SQUID-2009:2
Multiple Denial of service in header processing

Source: CONFIRM
Type: Vendor Advisory
http://www.squid-cache.org/Advisories/SQUID-2009_2.txt

Source: CONFIRM
Type: Patch
http://www.squid-cache.org/Versions/v3/3.1/changesets/b9654.patch

Source: VUPEN
Type: UNKNOWN
ADV-2009-2013

Source: XF
Type: UNKNOWN
squid-http-header-dos(52062)

Vulnerable Configuration:

Configuration 1:

cpe:/a:squid-cache:squid:3.0:*:pre1:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:pre2:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:pre3:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:pre4:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:pre5:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:pre6:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:pre7:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable1:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable10:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable11:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable12:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable13:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable14:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable15:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable2:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable3:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable4:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable5:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable6:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable7:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable8:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:*:stable9:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:rc1:stable11:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0:rc4:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.4:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:squid-cache:squid:3.0:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0.stable1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0.stable2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0.stable3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0.stable4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0.stable5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0.stable6:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0.stable7:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0.stable12:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0.stable13:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.11:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.0.stable16:*:*:*:*:*:*:*

AND

cpe:/o:mandrakesoft:mandrake_linux:2008.1:x86_64:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.1:*:*:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.0:*:*:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.0:-:x86_64:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.1:*:*:*:*:*:*:*

OR cpe:/o:mandriva:linux:2009.1:*:*:*:x86_64:*:*:*

OR cpe:/o:mandriva:enterprise_server:5:*:*:*:*:*:*:*

OR cpe:/o:mandriva:enterprise_server:5:*:*:*:x86_64:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20092621	V	CVE-2009-2621	2022-05-20
oval:org.opensuse.security:def:32240	P	Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)	2021-12-14
oval:org.opensuse.security:def:29432	P	Security update for apache2 (Important)	2021-10-06
oval:org.opensuse.security:def:32106	P	Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)	2021-06-04
oval:org.opensuse.security:def:29468	P	Security update for wpa_supplicant (Important)	2021-02-15
oval:org.opensuse.security:def:32020	P	Security update for cyrus-sasl (Important)	2020-12-28
oval:org.opensuse.security:def:28695	P	Security update for gimp	2020-12-01
oval:org.opensuse.security:def:32390	P	Security update for tomcat6 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28086	P	Security update for gd (Moderate)	2020-12-01
oval:org.opensuse.security:def:33520	P	Security update for squid	2020-12-01
oval:org.opensuse.security:def:28750	P	Security update for libmpfr	2020-12-01
oval:org.opensuse.security:def:32633	P	apache2-mod_jk on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28300	P	Security update for netpbm (Moderate)	2020-12-01
oval:org.opensuse.security:def:32021	P	Security update for kernel-firmware (Moderate)	2020-12-01
oval:org.opensuse.security:def:32738	P	libxcrypt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28441	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:28010	P	Security update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32799	P	tomcat6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28646	P	Security update for compat-openssl097g (Moderate)	2020-12-01
oval:org.opensuse.security:def:32333	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:28022	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:33481	P	Security update for libnetpbm	2020-12-01
oval:org.opensuse.security:def:28734	P	Security update for kvm (Important)	2020-12-01
oval:org.opensuse.security:def:32477	P	Security update for zlib (Moderate)	2020-12-01
oval:org.opensuse.security:def:28216	P	Security update for libquicktime (Moderate)	2020-12-01
oval:org.opensuse.security:def:28794	P	Security update for mozilla-nspr, mozilla-nss	2020-12-01
oval:org.opensuse.security:def:32689	P	kdebase3-runtime on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28357	P	Security update for postgresql94 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32032	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:32777	P	python-sssd-config on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28593	P	Security update for openvpn	2020-12-01
oval:org.opensuse.security:def:28011	P	Security update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32843	P	curl on GA media (Moderate)	2020-12-01