Squid Web Proxy: Revealing Critical Vulnerabilities

Squid vulnerability

Squid is a popular web proxy server that is used by organizations of all sizes to improve performance, security, and reliability. However, like any software, Squid is not immune to security vulnerabilities. In recent weeks, Squid developers have released several advisories warning users of three critical vulnerabilities.

1. HTTP/1.1 & ICAP Request/Response Smuggling (SQUID-2023:1) – CVSS Score 9.3

This vulnerability stems from a discrepancy in chunked decoder lenience, making Squid susceptible to Request/Response smuggling attacks when processing HTTP/1.1 and ICAP messages. The ramifications of this vulnerability allow attackers to bypass firewall and front-end security systems, especially when upstream servers interpret chunked encoding syntax differently than Squid.

Affected Versions: Squid-5.x up to 5.9 & Squid-6.x up to 6.3.

Solution: This flaw is rectified in Squid version 6.4. Patches for stable releases are available for Squid 5 and Squid 6.

Workaround: To mitigate ICAP issues, only trusted ICAP services should be used with TLS-encrypted connections (ICAPS extension). No workaround is available for the HTTP Request Smuggling issue.

2. Denial of Service in HTTP Digest Authentication (SQUID-2023:3) – CVSS Score 9.9

A buffer overflow bug in Squid makes it vulnerable to a Denial of Service (DoS) attack when configured to accept HTTP Digest Authentication. This flaw can allow attackers to write up to 2 MB of arbitrary data to heap memory, resulting in a DoS for all Squid proxy users on machines with advanced memory protections.

Affected Versions: Squid-5.0.6 up to 5.9 & Squid-6.x up to 6.3.

Solution: The issue is resolved in Squid version 6.4. Patches are available for Squid 5 and Squid 6.

Workaround: It’s recommended to disable HTTP Digest authentication until an upgrade or patch is applied.

3. Denial of Service in FTP (SQUID-2023:5) – CVSS Score 8.6

Attributed to an Incorrect Conversion between Numeric Types, Squid is vulnerable to a Denial of Service attack targeting ftp:// URL validation, access control, and FTP Native Relay input validation. This vulnerability can be exploited when sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input.

Affected Versions: Squid-5.0.4 up to 5.6 & Squid-6.x up to 6.3. Solution: Squid version 6.4 addresses this flaw. Patches are available for Squid 5 and Squid 6.

Workaround: To secure the FTP Native Relay input validation vector, all ftp_port directives should be removed from squid.conf. No workarounds are available for the ftp:// URL validation and access control vector.

To those utilizing prepackaged Squid versions, it’s imperative to consult the respective package vendor to ascertain the availability of updated packages. These vulnerabilities underscore the importance of regular patching and keeping abreast of the latest security advisories to ensure a secure internet environment.

Update on November 2

The CVE number is added for these flaws:

  • CVE-2023-46846: HTTP/1.1 & ICAP Request/Response Smuggling
  • CVE-2023-46847: Denial of Service in HTTP Digest Authentication
  • CVE-2023-46848: Denial of Service in FTP