Multiple versions of the Squid web proxy cache server built with basic authentication features are vulnerable to code execution and denial-of-service (DoS) attacks due to the exploitation of a heap buffer overflow security flaw.
The vulnerability is present in Squid versions 4.0.23 to 4.7 and is caused by incorrect buffer management which provides vulnerable installations to a heap overflow and possible remote code execution attack when processing HTTP Authentication credentials.
While checking the Basic Authentication, Squid uses a global buffer to store the decoded data. But they do not check that the decoded length is not greater than the buffer, leading to a heap-based buffer overflow with user-controlled data.
The vulnerability was patched by the web proxy’s development team by releasing Squid 4.8 on July 9.
According to the Trend Micro research team, the flaw which has been dubbed as CVE-2019-12527 could be easily exploited by remote unauthenticated attackers by sending a specially crafted HTTP request to any targeted server. On successful exploitation this can lead to either execute arbitrary code or to cause Squid to crash, activating a DoS state.
After patching the issue has been limited to traffic accessing the Squid Cache Manager reports or using the FTP protocol gateway. Only unpatched Squid-4.0.23 up to and including 4.7 built with Basic Authentication features are vulnerable to attacks.
Even though the vulnerability was patched, out of a total 2,776,255 of exposed Squid servers found using the Shodan search engine, 31,576 are still running 4.7 (the last vulnerable version), and only 1,956 were upgraded to the 4.8 patched release.
The Squid 4.8 release also patched a critical flaw that has been dubbed as CVE-2019-12525 found in Squid 3.3.9 through 3.5.28 and 4.x through 4.7, and the medium severity flaw CVE-2019-12529 present in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7.
Remote attackers who would exploit any of these two Squid security flaws can cause the target Squid servers to crash, triggering a DoS state for all clients using the proxy.
Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher and HTTP data objects. It can handle all requests in a single, non-blocking, I/O-driven process over IPv4 or IPv6. Squid keeps meta data and objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests.