CVE-2024-23638
SQUID-2023:11 Denial of Service in Cache Manager
Em resumo
Versões do Squid anteriores à 6.6 têm um bug de memória que derruba o Cache Manager ao gerar páginas de erro. Um usuário confiável pode explorar isso para causar indisponibilidade ao solicitar relatórios específicos.
Detalhe técnico
Uma referência de ponteiro expirado no Cache Manager do Squid causa uso de memória já liberada ao gerar respostas de erro. Um cliente confiável pode disparar isso via solicitações específicas ao Cache Manager, levando a falha do processo e indisponibilidade do serviço.
Resumo gerado e traduzido por IA a partir da descrição oficial.
Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Produtos afetados
squid-cache · squidQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://github.com/squid-cache/squid/commit/290ae202883ac28a48867079c2fb34c40efd382bhttps://github.com/squid-cache/squid/commit/e8118a7381213f5cfcdeb4cec1d2d854bfd261c8https://github.com/squid-cache/squid/security/advisories/GHSA-j49p-553x-48rxhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/https://megamansec.github.io/Squid-Security-Audit/stream-assert.htmlhttps://security.netapp.com/advisory/ntap-20240208-0010/http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patchhttp://www.squid-cache.org/Versions/v6/SQUID-2023_11.patch