Protect Your Web Services: Mitigate Squid DoS Vulnerability (CVE-2024-25617)

CVE-2024-25617

Squid, the widely used web proxy and caching server, is facing a high-severity Denial of Service (DoS) vulnerability (CVE-2024-25617). This flaw could allow attackers to crash your Squid servers, disrupting critical web services and potentially jeopardizing your entire network.

CVE-2024-25617

The Vulnerability

The issue stems from a bug in how Squid handles oversized HTTP headers. By sending specially crafted HTTP requests with massive headers, attackers can trigger a condition called “Collapse of Data into Unsafe Value” within Squid’s code. This leads to a crash, rendering your Squid server unavailable. The severity of CVE-2024-25617 is underscored by its CVSS score of 8.6, highlighting the high risk it poses to uninterrupted service.

“This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in
HTTP messages,” 
reads the security advisory.

Who’s Affected?

  • Squid versions 3.0 through 6.4 with default request_header_max_size and reply_header_max_size
     settings are vulnerable.
  • Squid versions 3.0 through 6.4 with any of those settings exceeding 21KB are at risk.
  • Squid 6.5 and later are mostly safe by default but can be made vulnerable if those settings are manually raised above 64KB.

How to Check Your Risk

Use this command to quickly determine your Squid server’s configuration:

squid -k parse 2>&1 | grep header_max_size

Interpreting the output will show whether your installation requires urgent action.

Immediate Actions

  1. Upgrade or Patch:

    • The best solution is to upgrade to Squid version 6.5 or later, where hardening measures are in place.
    • If upgrading is not immediately feasible, apply the appropriate patches from the Squid patch archives.
  2. Enforce Safe Settings (if not upgrading):

    • Squid older than 6.5: Add these lines to squid.conf:

      request_header_max_size 21 KB
      reply_header_max_size 21 KB

    • Squid 6.5 and later: Ensure those settings are either absent from squid.conf or kept below 64KB.

Why This Matters

DoS attacks not only take your Squid-powered services offline but can open the door to further disruptions within your network. Proactive patching and secure configuration are critical to maintaining the availability and security of your systems.