#VU27666 Integer overflow in Squid - CVE-2020-11945

Cybersecurity Help s.r.o.

Published: 2020-05-11

Vulnerability identifier: #VU27666

Vulnerability risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-11945

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Squid
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Squid-cache.org

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when processing HTTP Digest Authentication tokens, if memory pooling is disabled. A remote attacker can pass a specially crafted authentication nonce and execute arbitrary code on the server through the free'd nonce credentials.

In case memory pooling is enabled, a remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Squid: 2.0.release - 2.0.patch2, 2.1.release - 2.1.pre4, 2.2.stable1 - 2.2.pre2, 2.3.stable1 - 2.3, 2.4.stable1 - 2.4_9, 2.5.stable1 - 2.5.9, 2.6.stable1 - 2.6, 2.7.stable1 - 2.7, 3.0.stable1 - 3.5.28, 4.0 - 4.10, 5.0 - 5.0.1

External links
https://master.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch
https://www.openwall.com/lists/oss-security/2020/04/23/2
https://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch
https://bugzilla.suse.com/show_bug.cgi?id=1170313
https://github.com/squid-cache/squid/commit/eeebf0f37a72a2de08348e85ae34b02c34e9a811
https://github.com/squid-cache/squid/pull/585
https://www.debian.org/security/2020/dsa-4682
https://www.squid-cache.org/Advisories/SQUID-2020_4.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Anolis OS update for squid

openEuler update for squid

Integer overflow in squid (Alpine package)

Amazon Linux AMI update for squid

CentOS 7 update for squid

Ubuntu update for Squid

Gentoo update for Squid

OpenSUSE Linux update for squid

Debian update for squid