Vulnerability Tutorial - Squid vulnerabilities
  Updated: 09/15/14     (RED light)  
Impact
A remote attacker could cause a denial of service or execute arbitrary commands.
Background
Squid is an open-source, full-featured Web Proxy for Unix. It performs proxying and caching of HTTP, FTP, and other services.
The Problem

SNMP Request Handling Off-by-one Vulnerability

09/15/14
CVE 2014-6270
Squid 3.4.7 and prior is prone to a vulnerability, which can be exploited to cause a DoS (Denial of Service). The vulnerability exists due to an off-by-one overflow condition in the snmpHandleUdp() function. The application does not properly validate user-supplied input when handling SNMP requests which may cause a heap-based buffer overflow, resulting in a denial of service.

Range Request Parsing Denial of Service

08/28/14
CVE 2014-3609
Squid before 3.3.13 and 3.4.7 is prone to a vulnerability, which can be exploited to cause a DoS (Denial of Service). The vulnerability exists due to an input validation error when processing Range requests.

SSL-Bump HTTPS Requests Processing Denial of Service Vulnerability

03/12/14
CVE 2014-0128
Squid before 3.3.12 and 3.4.4 is prone to a vulnerability, which can be exploited to cause a DoS (Denial of Service). The vulnerability exists due to an error related to state management in SSL-Bump.

Note: Successful exploitation requires SSL-Bump feature to be enabled.

HTTP Header Port Number Handling Denial of Service Vulnerability

07/22/13
CVE 2013-4123
Squid before 3.2.13 and 3.3.8 is prone to a vulnerability, which can be exploited to cause a DoS (Denial of Service). The vulnerability is caused due to an error when handling port number values within the "Host" header of HTTP requests and can be exploited to render the service unusable.

"idnsALookup()" DNS Name Handling Buffer Overflow Vulnerability

07/16/13
CVE 2013-4115
Squid before 3.2.12 and 3.3.7 is prone to a vulnerability, which can be exploited to cause a buffer overflow. The vulnerability is caused due to an error within the "idnsALookup()" function when handling DNS query generation requests and can be exploited to cause a buffer overflow by sending specially crafted HTTP requests.

cachemgr.cgi Memory Leak Denial of Service Vulnerability

12/20/12
CVE 2012-5643
Squid before 3.3.0.2, 3.2.4, and 3.1.22 is prone to a vulnerability, which can be exploited by malicious users to cause a DoS (Denial of Service). The vulnerability is caused due to memory leak errors within cachemgr.cgi when handling certain requests, which can be exploited to consume resources and render the server unusable.

DNS Replies Invalid Free Denial of Service Vulnerability

11/08/11
CVE 2011-4096
Squid before 3.1.16 is prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing certain DNS replies, which can be exploited to trigger an invalid free via e.g. DNS replies containing a CNAME record pointing to another CNAME record pointing to an empty A record.

Gopher Response Processing Buffer Overflow

09/06/11
CVE 2011-3205
Squid before 3.0.STABLE26, 3.1.15, and 3.2.0.11 is prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. The vulnerability is caused due to a boundary error when processing Gopher responses and can be exploited to cause a buffer overflow via an overly long string.

String Processing NULL Pointer Dereference Denial Of Service Vulnerability

09/16/10
CVE 2010-3072
Squid is prone to a remote denial-of-service vulnerability caused by a NULL pointer dereference. An attacker can exploit this issue to cause the application to crash, denying service to legitimate users.

DNS Reply Remote Buffer Overflow Vulnerability

09/10/10
CVE NONE-0105
Squid before 3.1.7 is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code within the context of the affected application.

HTCP Packet Processing Denial of Service

03/10/10
CVE 2010-0639
A denial of service vulnerability exists in Squid Proxy. The vulnerability is due to a NULL pointer dereference when processing specially crafted Hypertext Caching Protocol (HTCP) packets. Remote attackers can exploit this issue by sending a malicious HTCP request to the target server. Successful exploitation could terminate the affected server process abnormally and result in a denial of service condition.

strListGetItem Denial of Service

08/27/09
CVE 2009-2855
There exists a denial of service vulnerability in the way Squid handles HTTP headers. The vulnerability is due to an infinite loop error when processing HTTP headers containing a specific delimiter character. Remote unauthenticated attackers can exploit this vulnerability by sending specially crafted HTTP request packets containing malicious HTTP headers. Successful exploitation would consume system resources and may cause the service to terminate.

Multiple Remote Denial of Service Vulnerabilities

07/29/09
CVE 2009-2621
CVE 2009-2622
Squid before 3.0.STABLE17 and 3.1.0.12 is prone to multiple remote denial-of-service vulnerabilities. Successfully exploiting these issues allow remote attackers to crash the affected application, denying further service to legitimate users.

ICAP Adaptation Denial of Service

04/16/09
Squid is prone to a remote denial-of-service vulnerability because the proxy server fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer. Successfully exploiting this issue allows remote authenticated attackers to consume excessive memory, resulting in a denial-of-service condition.

HTTP Version Number Parsing Denial of Service

02/10/09
CVE 2009-0478
There exists a denial of service vulnerability in the way Squid handles HTTP version number. The vulnerability is due to inappropriate parsing the version number when processing malformed HTTP requests. Remote unauthenticated attackers can exploit this vulnerability by sending specially crafted HTTP request packets to an affected system. Successful exploitation may cause the service to terminate.

Cached Objects HTTP headers temporary denial of service

04/22/08
CVE 2008-1612
Squid 2.6.STABLE17 has a flaw in the way it manipulated HTTP headers for cached objects stored in system memory. An attacker could use this flaw to cause a squid child process to exit. This interrupted existing connections and made proxy services unavailable. Note: the parent squid process started a new child process, so this attack only resulted in a temporary denial of service.

Squid Proxy Cache Update Denial of Service

12/05/07
CVE 2007-6239
Squid Proxy prior to version 2.6STABLE17, all 3.0PRE versions and 3.0RC1 have a denial-of-service vulnerability. This vulnerability is caused by memory exhaustion due to a linked table which grows on every server response with a 304 status code within an HTTP session.

Squid Proxy TRACE Request Remote Denial of Service

03/28/07
CVE 2007-1560
The Squid proxy has a denial-of-service vulnerability. The vulnerability is due to a failure to handle exceptional conditions (Max-Forwards=0) when processing an HTTP TRACE request within the Squid proxy. Successfully exploiting this issue allows unauthenticated remote attackers to terminate a vulnerable Squid proxy server, creating a denial of service condition to legitimate users. Squid 2.6 prior to 2.6STABLE12 is vulnerable.

Multiple Vulnerabilities fixed in 2.6.STABLE7

01/25/07
Squid versions earlier than 2.6.STABLE7 are affected by the following vulnerabilities:

  • CVE 2007-0247
    Denial of Service due to core dump via crafted FTP directory listing responses
  • CVE 2007-0248
    Denial of Service due to external_acl queue overload, which triggers an infinite loop

Vulnerability in Squid 2.5.STABLE11

10/25/05
Squid 2.5.STABLE11 and earlier is affected by the following vulnerability:
CVE 2005-3258
Denial of service due to odd responses in remote FTP servers under certain conditions.

Multiple Vulnerabilities in Squid 2.5.STABLE10

09/09/05
Squid 2.5.STABLE10 and earlier are affected by the following vulnerabilities:

  • CVE 2005-2794
    Denial of service due to assertion failures in certain conditions involving aborted requests
  • CVE 2005-2796
    Denial of service due to segmentation fault in sslConnectTimeout

Multiple Vulnerabilities in Squid 2.5.STABLE9

03/16/05
CVE 2005-0626
Due to a race condition, it is possible for cookies to leak to unintended users, possibly disclosing login credentials or other sensitive information. This vulnerability is only an issue when Squid communicates with a server which relies on obsolete Netscape specifications on caching of Set-Cookie headers. Squid 2.5 STABLE 7 through 9 are affected by this vulnerability.

05/16/05
Other vulnerabilities in Squid 2.5.STABLE9 include:

  • CVE 2005-1345
    Unexpectedly permissive access controls if configuration has invalid ACLs
  • CVE 2005-1519
    DNS response spoofing due to predictable transaction IDs

DNS Response Denial of Service

02/23/05
CVE 2005-0446
Invalid DNS responses can cause Squid to terminate. An attacker who controls an authoritative DNS server could exploit this issue to cause a denial of service. Squid 2.5 STABLE5 through STABLE8 are affected by this vulnerability.

HTTP Request Smuggling

CVE 2005-0174
Squid 2.5.STABLE7 and earlier are susceptible to HTTP request smuggling attacks. This type of attack occurs when an HTTP request contains malformed headers (such as extraneous whitespace or carriage return characters) or duplicated headers (such as two Content-Length headers). The Squid proxy may interpret the malformed request as a single request while the destination web server interprets it as two requests, causing the responses to any subsequent requests to become cached incorrectly. This could allow an attacker to poison the cache, such that users who request certain legitimate pages would receive spoofed content.

Multiple Vulnerabilities in Squid 2.5.STABLE7

01/21/05
02/11/05
03/16/05
05/03/05
There are multiple vulnerabilities affecting Squid 2.5.STABLE7 and earlier, including:

  • CVE 2005-0094 Buffer overflow in Gopher response parsing
  • CVE 2005-0095 Denial of service in processing WCCP messages with spoofed source addresses
  • CVE 2005-0173 Access control bypass in squid_ldap_auth using a leading or trailing space in user name
  • CVE 2005-0175 Cache poisoning by an HTTP response splitting attack
  • CVE 2005-0194 Access control bypass due to empty access control lists or proxy_auth ACLs without defined auth schemes
  • CVE 2005-0211 Buffer overflow in processing long WCCP packets
  • CVE 2005-0241 Access control bypass or cache poisoning by oversized HTTP reply headers
  • CVE 2005-0718 Denial of service by aborted PUT or POST requests

SNMP Module ASN1 Parsing Error

10/19/04
CVE 2004-0918
The asn_parse_header function in some cases allows negative length fields to pass validation. This causes a memory allocation to fail, after which the server restarts. Since it takes only a single UDP datagram to cause a restart, and the restart takes several seconds, repeated attacks could lead to a denial of service. Squid 2.5.STABLE6 and earlier and 3.0.PRE1 through 3.0.PRE3 are affected by this vulnerability if the SNMP module is enabled. The SNMP module is only enabled if both the snmp_port variable is non-zero in the squid.conf file and the --enable-snmp option was used when compiling Squid.

url_regex access control bypass

03/05/04
CVE 2004-0189
Servers which use url_regex access controls do not properly check URLs containing encoded null characters (%00). A remote attacker could bypass URL-based access controls by including the %00 sequence in a specially crafted URL. Squid 2.5 STABLE 4 and earlier versions are affected.

Heap overflow in compressed DNS message handling

04/15/02
CVE 2002-0163
A heap overflow in the processing of compressed DNS answer messages could cause the Squid process to stop with a segmentation fault. This could allow a remote attacker who has control of a DNS server to crash the Squid proxy. Squid 2.4.STABLE4 and earlier, and pre-release versions of Squid 2.5 and 2.6 downloaded prior to March 12, 2002 are affected by this vulnerability.

FTP proxy buffer overflow

02/25/02
CVE 2002-0068
When processing FTP proxy requests, Squid allocates a buffer based upon the size of the original request, but copies into that buffer a string which may contain URL-encoded characters, which could overflow the buffer. This condition, if exploited a number of times, could lead to a denial of service. It could also be possible for a remote attacker to execute arbitrary commands. Versions of Squid prior to 2.4.STABLE4 are affected by this vulnerability.

Access Control List bypass vulnerabilities

04/15/02
CVE 1999-1273
CVE 2001-1030
Multiple vulnerabilities could allow a remote attacker to bypass the access control lists on a Squid proxy, thus permitting port scanning and possibly remote access from unauthorized hosts. Squid versions prior to 2.4.STABLE3 may be affected by one or more of these vulnerabilities.

Newline Authentication Flaw

02/25/02
CVE 1999-1481
When authenticating to the Squid proxy service, a client sends a base-64 encoded user name and password pair. When the server decodes the pair, it does not remove newline and carriage return characters. Pairs containing newline and carriage return characters are interpreted as two pairs instead of one, thereby using one pair for authentication of the current client, and queueing the second pair for the next client. If the service is actively used by users with valid user name and password pairs, an attacker could exploit this situation and gain access to the service due to a prior user's user name and password being at the front of the queue.

Squid 2.2.STABLE5 and earlier are affected by this vulnerability.

FTP PUT denial of service

02/25/02
CVE 2001-0843
A request to the Squid proxy server which uses the PUT request method for an FTP address could cause the proxy service to crash if the request only creates a directory (mkdir). Versions of Squid prior to 2.4.STABLE3 are affected by this vulnerability.

Other miscellaneous vulnerabilities

02/25/02
CVE 1999-0710
CVE 2002-0067
CVE 2002-0069
Other miscellaneous vulnerabilities in outdated versions of Squid in certain configurations could allow a remote attacker to consume system resources or conduct unauthorized port scanning.

Resolution
Upgrade to version higher than 3.4.7 for 3.4.x, version higher than 3.3.13 for 3.3.x, version higher than 3.2.13 for 3.2.x, version higher than 3.1.22 for 3.1.x, or contact the vendor for a fix.
More Information
The SNMP request handling Off-by-one vulnerability was reported in Bug 895773 CVE-2014-6270.

The Range request parsing denial of service was reported in SQUID-2014:2.

The SSL-Bump HTTPS requests processing denial of service vulnerability was reported in Secunia Advisory SA57288.

The HTTP Header Port Number Handling Denial of Service vulnerability was reported in Secunia Advisory SA54142.

The "idnsALookup()" DNS Name Handling Buffer Overflow vulnerability was reported in Secunia Advisory SA54076.

The cachemgr.cgi Memory Leak Denial of Service vulnerability was reported in Secunia Advisory SA51545.

The DNS Replies Invalid Free Denial of Service vulnerability was reported in Secunia Advisory SA46609.

The Gopher Response Processing Buffer Overflow vulnerability was reported in Secunia Advisory SA45805.

The String Processing NULL Pointer Dereference Denial Of Service vulnerability was reported in Bugtraq ID 42982.

The DNS Reply Remote Buffer Overflow vulnerability was reported in Bugtraq ID 42645.

The HTCP Packet Processing Denial of Service was reported in Bugtraq ID 38212.

The strListGetItem Denial of Service was reported in Bugtraq ID 36091.

The multiple Remote Denial of Service vulnerabilities were reported in Bugtraq ID 35812.

The ICAP Adaptation Denial of Service was reported in Bugtraq ID 34277.

The HTTP Version Number Parsing Denial of Service was reported in Bugtraq ID 33604.

The cached objects HTTP headers temporary denial of service was reported in Secunia Advisory SA27910.

The Squid Proxy Cache Update denial of service was reported in SQUID-2007-2 and Secunia Advisory SA27910.

The Squid proxy TRACE request remote denial of service was reported in Secunia Advisory SA24611.

The vulnerabilities fixed in Squid.2.6.STABLE7 were reported in the Squid patch list.

The vulnerabilities in Squid.2.5.STABLE11 were reported in the Squid patch list.

The vulnerabilities in Squid.2.5.STABLE10 were reported in the Squid patch list.

The Set-Cookie race condition was reported in the Squid patch list.

The vulnerabilities in Squid 2.5.STABLE9 were reported in the Squid patch list.

The DNS response denial of service was reported in Bugtraq ID 12551.

The HTTP request smuggling vulnerability was reported in Squid Advisory 2005:4.

The vulnerabilities in Squid 2.5.STABLE7 were reported in the Squid patch list.

The SNMP module ASN1 parsing vulnerability was reported in iDEFENSE Security Advisory 10.11.04.

For more information on the url_regex access control bypass, see Squid Advisory 2004:1.

For more information on the heap overflow in compressed DNS message handling, see Squid Advisory 2002:2.

For more information on the FTP proxy buffer overflow, see Squid Advisory 2002:1 and Bugtraq archive 257614.

For more information on the access control list bypass vulnerabilities, see Squid Advisory 2002:1, Bugtraq archive 197727, and Bugtraq archive 8551 again.

For more information on the proxy authentication flaw, see Bugtraq archive 33295.

For more information on the FTP PUT denial of service, see SuSE Security Announcement 2001-037, Red Hat Security Advisory 2001:113, and Bugtraq archive 215605.

For more information on other Squid vulnerabilities, see Squid Advisory 2002:1 and Red Hat Security Advisory 1999:025, and Bugtraq archive 19392.