Security Alert: Squid Proxy’s Unresolved Vulnerabilities

Over two years have elapsed since the discovery of 35 vulnerabilities in the Squid caching proxy, yet they remain unaddressed, warns the security specialist who first spotlighted these issues.

Squid is a web proxy extensively employed by internet service providers and website proprietors. In February 2021, security expert Joshua Rogers undertook an analysis of Squid, discerning 55 vulnerabilities within the project’s code.

Vulnerability ID
Stack Buffer Overflow in Digest Authentication
Use-After-Free in TRACE Requests
Partial Content Parsing Use-After-Free CVE-2021-31807
X-Forwarded-For Stack Overflow
Chunked Encoding Stack Overflow
Use-After-Free in Cache Manager Errors
Cache Poisoning by Large Stored Response Headers (With Bonus XSS)
Memory Leak in CacheManager URI Parsing CVE-2021-28652
RFC 2141 / 2169 (URN) Response Parsing Memory Leak CVE-2021-28651
Memory Leak in HTTP Response Parsing
Memory Leak in ESI Error Processing
1-Byte Buffer OverRead in RFC 1123 date/time Handling
Null Pointer Dereference in Gopher Response Handling GHSA-cg5h-v6vc-w33f
One-Byte Buffer OverRead in HTTP Request Header Parsing
strlen(NULL) Crash Using Digest Authentication
Assertion in ESI Header Handling
Integer Overflow in Range Header CVE-2021-31808
Gopher Assertion Crash
Whois Assertion Crash
Assertion in Gopher Response Handling
RFC 2141 / 2169 (URN) Assertion Crash
Vary: Other HTTP Response Assertion Crash CVE-2021-28662
Assertion in Negotiate/NTLM Authentication Using Pipeline Prefetching
Assertion on IPv6 Host Requests with –disable-ipv6
Assertion Crash on Unexpected “HTTP/1.1 100 Continue” Response Header
Pipeline Prefetch Assertion With Double ‘Expect:100-continue’ Request Headers
Pipeline Prefetch Assertion With Invalid Headers
Assertion Crash in Deferred Requests
Assertion in Digest Authentication
FTP URI Assertion
FTP Authentication Crash
Unsatisfiable Range Requests Assertion CVE-2021-31806
Crash in Content-Range Response Header Logic CVE-2021-33620
Assertion Crash In HTTP Response Headers Handling
Implicit Assertion in Stream Handling
Buffer UnderRead in SSL CN Parsing
Use-After-Free in ESI ‘Try’ (and ‘Choose’) Processing
Use-After-Free in ESI Expression Evaluation
Buffer Underflow in ESI
Assertion in Squid “Helper” Process Creator
Assertion Due to 0 ESI ‘when’ Checking
Assertion Using ESI’s When Directive
Assertion in ESI Variable Assignment (String)
Assertion in ESI Variable Assignment
Null Pointer Dereference In ESI’s esi:include and esi:when

To date, a mere 20 of these have been rectified. A significant proportion of these vulnerabilities haven’t been assigned CVE identifiers, signifying the lack of official patches or mitigation recommendations. In a communiqué to the Openwall security community, Rogers conveyed that after an extended period of anticipation, he decided to disseminate this information.

Rogers elucidated these vulnerabilities on his personal website, emphasizing the gamut of issues – Use-After-Free, memory leaks, cache poisoning, assertion failures, and various other deficiencies spanning disparate components. Concurrently, he expressed empathy towards the Squid team, acknowledging that numerous open-source project developers volunteer their expertise and may not always promptly respond to such predicaments.

The incident raises contemplations regarding who should bear the responsibility for sustaining open-source software. Given that over 2.5 million servers operate on Squid’s foundation across the web, Rogers advises all patrons of this product to scrupulously appraise the vulnerability details and, if deemed necessary, to reconsider in favor of alternative solutions.