Squid patches security flaws

guest · May 12, 2020

Squid patches security flaws in HTTP digest authentication
Vulnerabilities have lain undiscovered since 2001
May 12, 2020
https://portswigger.net/daily-swig/squid-patches-security-flaws-in-http-digest-authentication

Squid, the open source web proxy, has patched a trio of security vulnerabilities in HTTP digest authentication, with one critical flaw potentially allowing attackers to mount man-in-the-middle attacks.
Squid-in-the-Middle
The critical, use-after-free flaw (CVE-2020-11945) leaves Squid open to credential replay and remote code execution attacks against HTTP digest authentication tokens.

In a blog post published on May 4, Berthaux and Guilbert recounted the discovery of a “pretty dangerous”, 16-bit integer being used as a nonce reference counter.
“Moreover,” Berthaux added, “lots of companies enable the SslBump (aka SSL/TLS interception) feature in Squid for caching or security purposes.

“In this configuration, an attacker would be able to eavesdrop and alter all the communications between the company users and the Internet, even those using HTTPS.”
Click to expand...

Information disclosure
The information disclosure vulnerability (CVE-2019-18679) arose because nonce tokens contained the raw byte value of a pointer found within heap memory allocation.

The related Squid advisory says that without Squid’s mempools feature enabled, which limits the leak to FTP directory listings, an exploit could leak “anything from the heap area”.
Click to expand...

guest · Sep 5, 2020

Squid proxy addresses web cache poisoning vulnerability with latest release
Now-patched flaw allowed attacker to poison downstream caches
September 4, 2020
https://portswigger.net/daily-swig/...e-poisoning-vulnerability-with-latest-release

A new version of the open source Squid caching proxy has been released, complete with mitigations against a security flaw that could allow an attacker to embark on web cache poisoning campaigns.

“Due to incorrect data validation, Squid is vulnerable to HTTP request splitting attacks against HTTP and HTTPS traffic,” the project maintainers warned in a recent advisory.
“This allows an attacker to hide a second request inside Transfer-Encoding,” the CVE advisory explains.

The vulnerability was given a high CVSS rating of 9.3, as it allows any client – including browser scripts – to bypass local security mechanisms and poison the browser cache and any downstream caches with content from an arbitrary source.
Click to expand...

Three’s a charm
The web cache poisoning issue has been fixed in the latest version of Squid (4.13), along with the latest beta build (5.0.4).
Regilero said he is working on a technical write-up of his discovery, which is the third Squid security bug he has disclosed over recent months.
Click to expand...

Log in or Sign up

Squid patches security flaws

guest Guest

guest Guest

Log in or Sign up

Squid patches security flaws

guest Guest

guest Guest

Useful Searches