CVE-2024-25111: Squid Proxy Hit by Serious Denial of Service Bug

Squid, the workhorse of web caching and acceleration, is facing a critical security threat. A vulnerability (CVE-2024-25111, CVSS 8.6) has been uncovered that could allow malicious actors to cripple Squid-powered systems, potentially disrupting a wide range of internet services.

Understanding the Attack: HTTP Chunking Goes Rogue

Web data often travels in bite-sized chunks, a technique called “chunked transfer encoding.” This helps manage large downloads, videos, and the dynamic content that makes the modern web tick. The flaw in Squid centers around how it handles these chunks. Attackers can exploit the bug to send a never-ending stream of malformed data, essentially forcing Squid into a resource-draining loop and ultimately leading to a system crash.

The Scope: Who Needs to Worry

Here’s where the CVE-2024-25111 vulnerability is confirmed:

• Squid 3.5.27 to 4.17: Older branches with unknown status – best to assume they’re at risk.
• Squid 5: All versions up to 5.9.
• Squid 6: All versions up to 6.7.

Don’t Wait: Mitigating the Risk

The most effective solution is to upgrade to Squid 6.8, where the bug has been addressed. If an immediate upgrade isn’t feasible, here’s what you need:

• Squid 6 patch: Obtain it from the official source: http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch
• Vendor Patches: If you rely on prepackaged Squid, contact your vendor for updates ASAP.