Vulnerability CVE-2014-3609 - CERT Civis.Net

Vulnerability Name:

CVE-2014-3609 (CCN-95590)

Assigned:

2014-08-28

Published:

2014-08-28

Updated:

2017-01-07

Summary:

HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values."

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (REDHAT CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-20
CWE-228
CWE-617
CWE-617

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2014-3609

Source: SUSE
Type: UNKNOWN
SUSE-SU-2014:1140

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:1144

Source: CCN
Type: RHSA-2014-1147
Important: squid security update

Source: REDHAT
Type: UNKNOWN
RHSA-2014:1147

Source: CCN
Type: RHSA-2014-1148
Important: squid security update

Source: SECUNIA
Type: UNKNOWN
60179

Source: SECUNIA
Type: UNKNOWN
60334

Source: SECUNIA
Type: UNKNOWN
61320

Source: SECUNIA
Type: UNKNOWN
61412

Source: DEBIAN
Type: UNKNOWN
DSA-3014

Source: DEBIAN
Type: UNKNOWN
DSA-3139

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

Source: BID
Type: UNKNOWN
69453

Source: CCN
Type: BID-69453
Squid CVE-2014-3609 Remote Denial of Service Vulnerability

Source: CCN
Type: Squid Proxy Cache Security Update Advisory SQUID-2014:2
Denial of service in request processing

Source: CONFIRM
Type: Vendor Advisory
http://www.squid-cache.org/Advisories/SQUID-2014_2.txt

Source: CONFIRM
Type: UNKNOWN
http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9201.patch

Source: UBUNTU
Type: Vendor Advisory
USN-2327-1

Source: CCN
Type: Red Hat Bugzilla Bug 1134209
(CVE-2014-3609) CVE-2014-3609 squid: assertion failure in Range header processing (SQUID-2014:2)

Source: XF
Type: UNKNOWN
squid-cve20143609-dos(95590)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-3609

Vulnerable Configuration:

Configuration 1:

cpe:/a:squid-cache:squid:3.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.6:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.7:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.8:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.9:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.10:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.11:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.12:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.13:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.14:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.15:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.16:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.17:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.0.18:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.5.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.6:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.7:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.8:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.9:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.10:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.11:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.12:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.13:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.14:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.1.15:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.6:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.7:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.8:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.9:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.10:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.11:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.12:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.13:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.14:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.15:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.16:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.17:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.18:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.19:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.6:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.7:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.8:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.9:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.10:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.11:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.12:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.0:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.0.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.0.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.6:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.7:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.8:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.9:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.10:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.11:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.0.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.0.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.0.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.5:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 8:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 9:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:squid-cache:squid:3.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4:*:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server:7:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_workstation:7:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20143609	V	CVE-2014-3609	2022-05-20
oval:org.opensuse.security:def:30292	P	Security update for apache2 (Important)	2022-01-12
oval:org.opensuse.security:def:26186	P	Security update for libqt4 (Important)	2021-12-22
oval:org.opensuse.security:def:30160	P	Security update for openssh (Important)	2021-12-06
oval:org.opensuse.security:def:32215	P	Security update for qemu (Important)	2021-11-10
oval:org.opensuse.security:def:34560	P	Security update for apache2-mod_auth_openidc (Moderate)	2021-10-12
oval:org.opensuse.security:def:26129	P	Security update for gtk-vnc (Moderate)	2021-09-16
oval:org.opensuse.security:def:32128	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)	2021-06-18
oval:org.opensuse.security:def:34471	P	Security update for libxml2 (Moderate)	2021-06-18
oval:org.opensuse.security:def:42702	P	squid3-3.1.12-8.16.20.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:30086	P	Security update for MozillaFirefox (Important)	2021-06-08
oval:org.opensuse.security:def:36295	P	squid3-3.1.12-8.16.20.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:30074	P	Security update for the Linux Kernel (Important)	2021-05-17
oval:org.opensuse.security:def:30075	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:26048	P	Security update for the Linux Kernel (Important)	2021-05-13
oval:org.opensuse.security:def:34414	P	Security update for java-11-openjdk (Important)	2021-04-26
oval:org.opensuse.security:def:32071	P	Security update for qemu (Important)	2021-04-16
oval:org.opensuse.security:def:31562	P	Security update for xen (Important)	2020-12-07
oval:org.opensuse.security:def:35573	P	kernel-default-2.6.32.12-0.7.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35614	P	mozilla-xulrunner190-1.9.0.19-0.1.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:25856	P	Security update for gd (Important)	2020-12-01
oval:org.opensuse.security:def:26523	P	apache2-mod_perl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30679	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:33219	P	openvpn on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34316	P	Security update for ruby	2020-12-01
oval:org.opensuse.security:def:34891	P	Security update for curl (Important)	2020-12-01
oval:org.opensuse.security:def:25920	P	Security update for gstreamer-plugins-base (Moderate)	2020-12-01
oval:org.opensuse.security:def:26562	P	gtk2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30734	P	Security update for OpenEXR (Moderate)	2020-12-01
oval:org.opensuse.security:def:33258	P	squid3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34935	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:26576	P	krb5-plugin-kdb-ldap on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30783	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:31761	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:32371	P	Security update for tcpdump (Moderate)	2020-12-01
oval:org.opensuse.security:def:26620	P	openssh on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30822	P	Security update for cups (Moderate)	2020-12-01
oval:org.opensuse.security:def:31762	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:32427	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:27258	P	pam_ldap on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30842	P	Security update for cvs (Moderate)	2020-12-01
oval:org.opensuse.security:def:31773	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:32476	P	Security update for yast2-storage (Moderate)	2020-12-01
oval:org.opensuse.security:def:34084	P	Security update for mailman (Important)	2020-12-01
oval:org.opensuse.security:def:34719	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:26270	P	Security update for mariadb-100 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27293	P	squid3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30381	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:30886	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:31847	P	Security update for clamav (Moderate)	2020-12-01
oval:org.opensuse.security:def:32515	P	fuse on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34085	P	Security update for mailman (Important)	2020-12-01
oval:org.opensuse.security:def:34777	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:25844	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26421	P	Security update for hdf5 (Important)	2020-12-01
oval:org.opensuse.security:def:30438	P	Security update for xpdf-tools	2020-12-01
oval:org.opensuse.security:def:31524	P	Security update for rsync (Moderate)	2020-12-01
oval:org.opensuse.security:def:31979	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:32537	P	kdelibs4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34096	P	Security update for microcode_ctl (Moderate)	2020-12-01
oval:org.opensuse.security:def:34826	P	Security update for avahi (Moderate)	2020-12-01
oval:org.opensuse.security:def:25845	P	Security update for mariadb (Moderate)	2020-12-01
oval:org.opensuse.security:def:26474	P	Security update for znc (Moderate)	2020-12-01
oval:org.opensuse.security:def:30524	P	Security update for inn	2020-12-01
oval:org.opensuse.security:def:32581	P	mutt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34180	P	Security update for openssl1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:34865	P	Recommended udpate for SUSE Manager Client Tools (Low)	2020-12-01
oval:org.cisecurity:def:100	P	DSA-3139-1 squid -- security update	2016-02-08
oval:org.mitre.oval:def:26892	P	ELSA-2014-1148 -- squid security update (Important)	2015-08-10
oval:org.mitre.oval:def:26644	P	ELSA-2014-1147 -- squid security update (Important)	2015-02-23
oval:org.mitre.oval:def:26878	P	SUSE-SU-2014:1140-1 -- Security update for squid3	2014-11-10
oval:org.mitre.oval:def:26700	P	RHSA-2014:1148: squid security update (Important)	2014-10-27
oval:org.mitre.oval:def:25798	P	USN-2327-1 -- squid3 vulnerability	2014-10-27
oval:org.mitre.oval:def:26729	P	RHSA-2014:1147: squid security update (Important)	2014-10-27
oval:org.mitre.oval:def:26200	P	DSA-3014-1 squid3 - security update	2014-10-27
oval:com.ubuntu.precise:def:20143609000	V	CVE-2014-3609 on Ubuntu 12.04 LTS (precise) - medium.	2014-09-11
oval:com.ubuntu.trusty:def:20143609000	V	CVE-2014-3609 on Ubuntu 14.04 LTS (trusty) - medium.	2014-09-11
oval:com.redhat.rhsa:def:20141147	P	RHSA-2014:1147: squid security update (Important)	2014-09-03
oval:com.redhat.rhsa:def:20141148	P	RHSA-2014:1148: squid security update (Important)	2014-09-03