Denial-of-Service Vulnerability Found in Squid Proxy Server (CVE-2024-45802)
A recent security advisory from the SQUID project has highlighted a critical Denial-of-Service (DoS) vulnerability, tracked as CVE-2024-45802 (CVSS 7.5), in Squid, a popular open-source caching proxy server. Squid, widely used for its efficiency in reducing bandwidth and improving response times, is exposed to a potentially disruptive flaw when configured with certain parameters, particularly in environments where the Edge Side Includes (ESI) feature is enabled.
Squid, a staple in caching and web acceleration, supports multiple protocols such as HTTP, HTTPS, and FTP and operates on a wide range of systems including Windows. However, as the advisory warns, “Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy.”
The issue specifically affects configurations where Squid acts as a reverse proxy with the ESI feature enabled—a setting that has been standard in versions from 3.0 up to 6.9. This configuration enables trusted servers to exploit the vulnerability, allowing them to “perform a Denial of Service when processing ESI response content. This affects all domains being serviced by the proxy and all clients using it during the affected period.”
The good news is that Squid version 6.10 has addressed the vulnerability by disabling ESI by default. The advisory recommends users run `squid -v` to verify if they are affected: “Version 3.x, 4.x, 5.x, and 6.0.1 to 6.9 are vulnerable unless the output contains the text ‘–disable-esi’. Versions 6.10 and later are vulnerable if the output contains the text ‘–enable-esi’.”
For those unable to upgrade immediately, the Squid team suggests a workaround by rebuilding Squid with the `–disable-esi` flag to mitigate this vulnerability until a full update is possible.