#VU45957 Resource exhaustion in Squid - CVE-2020-24606


| Updated: 2020-08-25

Vulnerability identifier: #VU45957

Vulnerability risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:U/U:Clear]

CVE-ID: CVE-2020-24606

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Squid
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Squid-cache.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly EOF in peerDigestHandleReply() function in peer_digest.cc when processing Cache Digest response messages from a trusted peer. A remote attacker who controls a trusted peer can consume all available CPU cycles and perform a denial of service (DoS) attack.

This attack is limited to Squid using cache_peer with cache digests feature.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Squid: 3.0.stable1 - 3.5.28, 4.0 - 4.12, 5.0 - 5.0.3

External links
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for squid
Anolis OS update for squid:4 (Anolis OS 8.4) module
openEuler update for squid
Amazon Linux AMI update for squid
Red Hat Enterprise Linux 8 update for the squid:4 module
Resource exhaustion in squid (Alpine package)
Red Hat Enterprise Linux 7 update for squid
Ubuntu update for squid3
OpenSUSE Linux update for squid
OpenSUSE Linux update for squid