Headline
CVE-2023-46724: SQUID-2023:4 Denial of Service in SSL Certificate validation
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using --with-openssl
are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid’s patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
Due to an Improper Validation of Specified Index
bug Squid is vulnerable to a Denial of Service
attack against SSL Certificate validation.
Severity:
This problem allows a remote server to perform Denial of
Service against Squid Proxy by initiating a TLS Handshake with
a specially crafted SSL Certificate in a server certificate
chain.
This attack is limited to HTTPS and SSL-Bump.
CVSS Score of 8.6
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H&version=3.1
Updated Packages:****This bug is fixed by Squid version 6.4.
In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 5:
http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch
Squid 6:
http://www.squid-cache.org/Versions/v6/SQUID-2023_4.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:
All Squid older than 3.3.0.1 are not vulnerable.
All Squid-3.3 up to and including 3.4.14 compiled without
–enable-ssl are not vulnerable.
All Squid-3.3 up to and including 3.4.14 compiled using
–enable-ssl are vulnerable.
All Squid-3.5 up to and including 3.5.28 compiled without
–with-openssl are not vulnerable.
All Squid-3.5 up to and including 3.5.28 compiled using
–with-openssl are vulnerable.
All Squid-4.x up to and including 4.16 compiled without
–with-openssl are not vulnerable.
All Squid-4.x up to and including 4.16 compiled using
–with-openssl are vulnerable.
Squid-5.x up to and including 5.9 compiled without
–with-openssl are not vulnerable.
All Squid-5.x up to and including 5.9 compiled using
–with-openssl are vulnerable.
All Squid-6.x up to and including 6.3 compiled without
–with-openssl are not vulnerable.
All Squid-6.x up to and including 6.3 compiled using
–with-openssl are vulnerable.
Workaround:
Either,
Disable use of SSL-Bump features:
- Remove all ssl-bump options from http_port and https_port
- Remove all ssl_bump directives from squid.conf
Or,
Rebuild Squid using --without-openssl.
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the [email protected] mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
https://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
[email protected] mailing list. It’s a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:
This vulnerability was discovered by Joshua Rogers of Opera
Software.
Fixed by Andreas Weigel
Revision history:
2023-10-12 11:53:02 UTC Initial Report
END
Related news
Red Hat Security Advisory 2024-1787-03 - An update for squid is now available for Red Hat Enterprise Linux 7. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Debian Linux Security Advisory 5637-1 - Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management.
Red Hat Security Advisory 2024-1153-03 - An update for squid is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0773-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0772-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0771-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0397-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0072-03 - An update for squid is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0071-03 - An update for squid is now available for Red Hat Enterprise Linux 9. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Red Hat Security Advisory 2024-0046-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.
Ubuntu Security Notice 6500-1 - Joshua Rogers discovered that Squid incorrectly handled validating certain SSL certificates. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. Joshua Rogers discovered that Squid incorrectly handled the Gopher protocol. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. Gopher support has been disabled in this update. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04.