[squid-users] SQUID 6.10 vulnerabilities

Alex Rousskov rousskov at measurement-factory.com
Mon Aug 19 13:07:07 UTC 2024


On 2024-08-19 07:37, Guy Tzudkevitz wrote:

> I'm running Squid on Ubuntu 22.04
> 
> I ran a vulnerability scan on this server and got a result from the 
> vendor that this version is vulnerable. See. Is there any way to fix it?

There is, but we cannot fix that scanner. Please contact the vendor that 
provided you with that scanner. As far as Squid is concerned:

* Squid v6.10 is not vulnerable to some of the vulnerabilities listed 
below. For example, Squid v6.10 is not vulnerable to "X-Forwarded-For 
Stack Overflow" and "Chunked Encoding Stack Overflow". I only checked a 
few, so I cannot give you an exact count of misleading "insight" entries 
in the dump of vulnerability names you have shared.

* No reasonable Squid build/configuration is vulnerable to most of the 
vulnerabilities listed below. For example, reasonable Squid builds 
should not enable (or, in older Squid versions, should explicitly 
disable) ESI support at ./configure time; reasonable Squid 
configurations should not enable pipeline_prefetch. Just these two 
(default in Squid v6.10!) precautions would address 15+ vulnerabilities.

* Certain Squid builds/configurations are still vulnerable to a few of 
those reported vulnerabilities because nobody volunteered Squid changes 
to address them. In most cases (e.g., ESI and pipeline_prefetch), nobody 
who can develop (or pay for) a quality fix is affected by those 
vulnerabilities. I do not know whether those vulnerabilities affect 
_your_ Squid installations. If they do, please see
https://wiki.squid-cache.org/SquidFaq/AboutSquid#how-to-add-a-new-squid-feature-enhance-of-fix-something

* IMO, Squid Project has screwed up its official response to the 
surprise publication of those vulnerabilities in 2023: AFAIK, there is 
still no concise summary of vulnerabilities remaining in the latest 
supported Squid release and their corresponding workarounds (if any). 
There is some useful info at the URL below, but it is incomplete and 
converting that info to such a summary requires significant effort:
https://github.com/squid-cache/squid/security/advisories/


HTH,

Alex.


> Vulnerability Details
> Name
> Squid Multiple 0-Day Vulnerabilities (Oct 2023)
> Found On
> X.X.X.X
> Insight
> 
> 
> The following flaws have been reported in 2021 to the vendor and seems 
> to be not fixed yet: - Use-After-Free in TRACE Requests - 
> X-Forwarded-For Stack Overflow - Chunked Encoding Stack Overflow - 
> Use-After-Free in Cache Manager Errors - Memory Leak in HTTP Response 
> Parsing - Memory Leak in ESI Error Processing - 1-Byte Buffer OverRead 
> in RFC 1123 date/time Handling GHSA-8w9r-p88v-mmx9 - One-Byte Buffer 
> OverRead in HTTP Request Header Parsing - strlen(NULL) Crash Using 
> Digest Authentication GHSA-254c-93q9-cp53 - Assertion in ESI Header 
> Handling - Gopher Assertion Crash - Whois Assertion Crash - RFC 2141 / 
> 2169 (URN) Assertion Crash - Assertion in Negotiate/NTLM Authentication 
> Using Pipeline Prefetching - Assertion on IPv6 Host Requests with 
> --disable-ipv6 - Assertion Crash on Unexpected 'HTTP/1.1 100 Continue' 
> Response Header - Pipeline Prefetch Assertion With Double 
> 'Expect:100-continue' Request Headers - Pipeline Prefetch Assertion With 
> Invalid Headers - Assertion Crash in Deferred Requests - Assertion in 
> Digest Authentication - FTP Authentication Crash - Assertion Crash In 
> HTTP Response Headers Handling - Implicit Assertion in Stream Handling - 
> Use-After-Free in ESI 'Try' (and 'Choose') Processing - Use-After-Free 
> in ESI Expression Evaluation - Buffer Underflow in ESI 
> GHSA-wgvf-q977-9xjg - Assertion in Squid 'Helper' Process Creator 
> GHSA-xggx-9329-3c27 - Assertion Due to 0 ESI 'when' Checking 
> GHSA-4g88-277m-q89r - Assertion Using ESI's When Directive 
> GHSA-4g88-277m-q89r - Assertion in ESI Variable Assignment (String) - 
> Assertion in ESI Variable Assignment - Null Pointer Dereference In ESI's 
> esi:include and esi:when Note: Various GHSA advisories have been 
> provided by the security researcher but are not published / available yet.
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list