Web Servers : Squid Multiple 0-Day Vulnerabilities (Oct 2023)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.100439

Category: Web Servers

Title: Squid Multiple 0-Day Vulnerabilities (Oct 2023)

Summary: Squid is prone to multiple zero-day (0-day) vulnerabilities.

Description: Summary:
Squid is prone to multiple zero-day (0-day) vulnerabilities.

Vulnerability Insight:
The following flaws have been reported in 2021 to the vendor and
seems to be not fixed yet:

- One-Byte Buffer OverRead in HTTP Request Header Parsing

- strlen(NULL) Crash Using Digest Authentication GHSA-254c-93q9-cp53

- Gopher Assertion Crash

- Whois Assertion Crash

- RFC 2141 / 2169 (URN) Assertion Crash

- Assertion in Negotiate/NTLM Authentication Using Pipeline Prefetching

- Assertion on IPv6 Host Requests with --disable-ipv6

- Assertion Crash on Unexpected 'HTTP/1.1 100 Continue' Response Header

- Pipeline Prefetch Assertion With Double 'Expect:100-continue' Request Headers

- Pipeline Prefetch Assertion With Invalid Headers

- Assertion Crash in Deferred Requests

- Assertion in Digest Authentication

- FTP Authentication Crash

- Assertion Crash In HTTP Response Headers Handling

- Implicit Assertion in Stream Handling

Note: One GHSA advisory has been provided by the security researcher but is not published /
available yet.

Affected Software/OS:
As of 10/2024 the situation about the versions affected by the
previous listed vulnerabilities is largely unclear (The security researcher only stated that all
vulnerabilities were discovered in squid-5.0.5 and the vendor only published a few advisories so
far).

Due to this unclear situation all Squid versions are currently assumed to be vulnerable by the not
yet fixed flaws.

Solution:
No known solution was made available for at least one year
since the disclosure of this vulnerability. Likely none will be provided anymore. General solution
options are to upgrade to a newer release, disable respective features, remove the product or
replace the product by another one.

Notes:

- It seems that some of the flaws could be mitigated by workarounds (listed in the referenced
GitHub Gist) via either configuration changes and/or by disabling some features / functionality
of Squid during build time

- If only these workarounds have been applied and the risk is accepted that these workarounds
might not fully mitigate the relevant flaw(s) please create an override for this result

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C

Copyright Copyright (C) 2023 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.100439
Category:	Web Servers
Title:	Squid Multiple 0-Day Vulnerabilities (Oct 2023)
Summary:	Squid is prone to multiple zero-day (0-day) vulnerabilities.
Description:	Summary: Squid is prone to multiple zero-day (0-day) vulnerabilities. Vulnerability Insight: The following flaws have been reported in 2021 to the vendor and seems to be not fixed yet: - One-Byte Buffer OverRead in HTTP Request Header Parsing - strlen(NULL) Crash Using Digest Authentication GHSA-254c-93q9-cp53 - Gopher Assertion Crash - Whois Assertion Crash - RFC 2141 / 2169 (URN) Assertion Crash - Assertion in Negotiate/NTLM Authentication Using Pipeline Prefetching - Assertion on IPv6 Host Requests with --disable-ipv6 - Assertion Crash on Unexpected 'HTTP/1.1 100 Continue' Response Header - Pipeline Prefetch Assertion With Double 'Expect:100-continue' Request Headers - Pipeline Prefetch Assertion With Invalid Headers - Assertion Crash in Deferred Requests - Assertion in Digest Authentication - FTP Authentication Crash - Assertion Crash In HTTP Response Headers Handling - Implicit Assertion in Stream Handling Note: One GHSA advisory has been provided by the security researcher but is not published / available yet. Affected Software/OS: As of 10/2024 the situation about the versions affected by the previous listed vulnerabilities is largely unclear (The security researcher only stated that all vulnerabilities were discovered in squid-5.0.5 and the vendor only published a few advisories so far). Due to this unclear situation all Squid versions are currently assumed to be vulnerable by the not yet fixed flaws. Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. Notes: - It seems that some of the flaws could be mitigated by workarounds (listed in the referenced GitHub Gist) via either configuration changes and/or by disabling some features / functionality of Squid during build time - If only these workarounds have been applied and the risk is accepted that these workarounds might not fully mitigate the relevant flaw(s) please create an override for this result CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Copyright	Copyright (C) 2023 Greenbone AG