Update Protection against Squid Proxy Invalid HTTP Response Status Code Denial of Service Vulnerability

Vulnerability
Protection

Check Point Reference:	CPAI-2009-227
Date Published:
Severity:
Last Updated:
Source:	Secunia Advisory: SA36007
Industry Reference(s):	CVE-2009-2621
Protection Provided by:	Security Gateway R70 VPN-1 NGX R65 VSX NGX R65 IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Squid Project Squid 3.0.x prior to 3.0.STABLE17 Squid Project Squid 3.1.x prior to 3.1.0.12
Vulnerability Description A denial of service vulnerability exists in the way Squid handles HTTP requests and responses. The Squid proxy server is a popular open source, Internet proxy and web caching application. The vulnerability is due to a boundary error when handling malformed HTTP requests/responses. A remote attackers can exploit this vulnerability by sending a specially crafted HTTP request/response packet to an affected system.

Update/Patch Available The vendor, Squid Project, has released an advisory addressing this vulnerability: http://www.squid-cache.org/Advisories/SQUID-2009_2.txt
Vulnerability Details The vulnerability is due to a boundary check error while parsing the content data in an HTTP response. Remote attackers can exploit this vulnerability by sending a specially crafted HTTP response. Successful exploitation would cause a denial of service condition.

Protection Overview
This protection will detect and block HTTP repsonses with invalid response codes sent to the Squid proxy server.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Proxy Server Protections.
2. In the right pane, double-click the Squid Proxy Invalid HTTP Response Status Code Denial of Service protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Proxy Server Enforcement
Attack Information: Squid Proxy invalid HTTP response status code denial of service

VPN-1 NGX R65

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Proxy Server Protections > Squid Proxy Invalid HTTP Response Status Code Denial of Service.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

VPN-1 VSX NGX R65

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the Strict Compliance protection group.
3. Click Server sent invalid http response code (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entry will be logged:

Alert Name: HTTP Compliance
Description: Server sent invalid http response code

Legal Notice for Threat Center Advisories