Multiple vulnerabilities in SQUID



Published: 2020-08-28
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2020-15810
CVE-2020-15811
CWE ID CWE-444
CWE-113
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Squid
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor Squid-cache.org

Security Advisory

1) Inconsistent interpretation of HTTP requests

Risk: Medium

CVSSv3: 5.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-15810

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote authenticated attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Squid: 2.5.6, 2.5.9, 2.5.stable1, 2.5.stable2, 2.5.stable3, 2.5.stable4, 2.5.stable5, 2.5.stable6, 2.5.stable7, 2.5.stable8, 2.5.stable9, 2.5.stable10, 2.5.stable11, 2.5.stable12, 2.5.stable13, 2.5.stable14, 2.6.stable1, 2.6.stable2, 2.6.stable3, 2.6.stable4, 2.6.stable5, 2.6.stable6, 2.6.stable7, 2.6.stable8, 2.6.stable9, 2.6.stable10, 2.6.stable11, 2.6.stable12, 2.6.stable13, 2.6.stable14, 2.6.stable15, 2.6.stable16, 2.6.stable17, 2.6.stable18, 2.6.stable19, 2.6.stable20, 2.6.stable21, 2.6.stable22, 2.6.stable23, 2.6.stable24, 2.7.RC2, 2.7.stable1, 2.7.stable2, 2.7.stable3, 2.7.stable4, 2.7.stable5, 2.7.STABLE6, 2.7.STABLE7, 2.7.STABLE8, 2.7.STABLE9, 3.0, 3.0.stable1, 3.0.stable2, 3.0.stable3, 3.0.stable4, 3.0.stable5, 3.0.stable6, 3.0.stable7, 3.0.stable8, 3.0.stable9, 3.0.stable10, 3.0.stable11, 3.0.stable12, 3.0.stable13, 3.0.stable14, 3.0.stable15, 3.0.stable16, 3.0.stable17, 3.0.stable18, 3.0.stable19, 3.0.stable20, 3.0.stable21, 3.0.stable22, 3.0.stable23, 3.0.stable24, 3.0.stable25, 3.0.stable26, 3.1, 3.1.0.1, 3.1.0.2, 3.1.0.3, 3.1.0.4, 3.1.0.5, 3.1.0.6, 3.1.0.7, 3.1.0.8, 3.1.0.9, 3.1.0.10, 3.1.0.11, 3.1.0.12, 3.1.0.13, 3.1.0.14, 3.1.0.15, 3.1.0.16, 3.1.0.17, 3.1.0.18, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.5.1, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.12.1, 3.1.12.2, 3.1.12.3, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.2, 3.2.0.1, 3.2.0.2, 3.2.0.3, 3.2.0.4, 3.2.0.5, 3.2.0.6, 3.2.0.7, 3.2.0.8, 3.2.0.9, 3.2.0.10, 3.2.0.11, 3.2.0.12, 3.2.0.13, 3.2.0.14, 3.2.0.15, 3.2.0.16, 3.2.0.17, 3.2.0.18, 3.2.0.19, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.3, 3.3.0, 3.3.0.1, 3.3.0.2, 3.3.0.3, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.3.14, 3.4, 3.4.0.1, 3.4.0.2, 3.4.0.3, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.4.1, 3.4.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.4.11, 3.4.12, 3.4.13, 3.4.14, 3.5, 3.5.0.1, 3.5.0.2, 3.5.0.3, 3.5.0.4, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.5.11, 3.5.12, 3.5.13, 3.5.14, 3.5.15, 3.5.16, 3.5.17, 3.5.18, 3.5.19, 3.5.20, 3.5.21, 3.5.22, 3.5.23, 3.5.24, 3.5.25, 3.5.26, 3.5.27, 3.5.28, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.0.20, 4.0.21, 4.0.22, 4.0.23, 4.0.24, 4.0.25, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 4.11, 4.12, 5.0.1, 5.0.2, 5.0.3

CPE External links

https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) HTTP response splitting

Risk: Medium

CVSSv3: 5.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-15811

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not corrector process CRLF character sequences. A remote authenticated attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Squid: 2.7.RC2, 2.7.stable1, 2.7.stable2, 2.7.stable3, 2.7.stable4, 2.7.stable5, 2.7.STABLE6, 2.7.STABLE7, 2.7.STABLE8, 2.7.STABLE9, 3.0, 3.0.stable1, 3.0.stable2, 3.0.stable3, 3.0.stable4, 3.0.stable5, 3.0.stable6, 3.0.stable7, 3.0.stable8, 3.0.stable9, 3.0.stable10, 3.0.stable11, 3.0.stable12, 3.0.stable13, 3.0.stable14, 3.0.stable15, 3.0.stable16, 3.0.stable17, 3.0.stable18, 3.0.stable19, 3.0.stable20, 3.0.stable21, 3.0.stable22, 3.0.stable23, 3.0.stable24, 3.0.stable25, 3.0.stable26, 3.1, 3.1.0.1, 3.1.0.2, 3.1.0.3, 3.1.0.4, 3.1.0.5, 3.1.0.6, 3.1.0.7, 3.1.0.8, 3.1.0.9, 3.1.0.10, 3.1.0.11, 3.1.0.12, 3.1.0.13, 3.1.0.14, 3.1.0.15, 3.1.0.16, 3.1.0.17, 3.1.0.18, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.5.1, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.12.1, 3.1.12.2, 3.1.12.3, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.2, 3.2.0.1, 3.2.0.2, 3.2.0.3, 3.2.0.4, 3.2.0.5, 3.2.0.6, 3.2.0.7, 3.2.0.8, 3.2.0.9, 3.2.0.10, 3.2.0.11, 3.2.0.12, 3.2.0.13, 3.2.0.14, 3.2.0.15, 3.2.0.16, 3.2.0.17, 3.2.0.18, 3.2.0.19, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.3, 3.3.0, 3.3.0.1, 3.3.0.2, 3.3.0.3, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.3.14, 3.4, 3.4.0.1, 3.4.0.2, 3.4.0.3, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.4.1, 3.4.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.4.11, 3.4.12, 3.4.13, 3.4.14, 3.5, 3.5.0.1, 3.5.0.2, 3.5.0.3, 3.5.0.4, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.5.11, 3.5.12, 3.5.13, 3.5.14, 3.5.15, 3.5.16, 3.5.17, 3.5.18, 3.5.19, 3.5.20, 3.5.21, 3.5.22, 3.5.23, 3.5.24, 3.5.25, 3.5.26, 3.5.27, 3.5.28, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.15, 4.0.16, 4.0.17, 4.0.18, 4.0.19, 4.0.20, 4.0.21, 4.0.22, 4.0.23, 4.0.24, 4.0.25, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 4.11, 4.12, 5.0.1, 5.0.2, 5.0.3

CPE External links

https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.