CVE-2009-2855
published 2009-08-18CVE-2009-2855: The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain…
PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
36.73%
98.3th percentile
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 2.7.STABLE7-1 (bookworm) | squid 2.7.STABLE7-1 (bookworm) |
| squid-cache | squid | — | — |
| squid | squid | >= 0 < 2.7.STABLE7-1 | 2.7.STABLE7-1 |
| squid | squid | >= 0 < 2.7.STABLE7-1 | 2.7.STABLE7-1 |
| squid | squid | >= 0 < 2.7.STABLE7-1 | 2.7.STABLE7-1 |
| squid | squid | >= 0 < 2.7.STABLE7-1 | 2.7.STABLE7-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via the external_acl_type directive using %{header:member} format where the member separator is not a comma. Monitor Squid configurations using 'external_acl_type' with non-comma delimiters in header extraction (e.g., %{Test:;test}) as these can trigger the infinite loop. ↗
- →A crafted HTTP request header containing comma-delimited values sent to a Squid proxy configured with external_acl_type header extraction will cause 100% CPU utilization (infinite loop in strcspn). Monitor for sustained 100% CPU on Squid processes as an indicator of exploitation. ↗
- →The vulnerable code path is in strListGetItem() within src/HttpHeaderTools.c. Patch or audit this function for infinite loop conditions when processing header list items with non-standard delimiters. ↗
- →A minimal PoC squid.conf configuration that exposes the vulnerability uses: 'external_acl_type test %{Test:;test} /path/to/helper' with an ACL referencing it. Any Squid instance with such a config is exploitable by sending a header like 'Test: a, b, test=test'. ↗
- ·The vulnerability only affects Squid 2.7 (and likely 2.6 and earlier versions that introduced external_acl_type header extraction). It does NOT affect Red Hat Enterprise Linux 3 and 4 squid packages, nor Fedora 10 and 11. ↗
- ·The vulnerability is fixed in Squid 2.7.STABLE7-1 (Debian). The upstream fix is available in Squid-2.HEAD changeset 12541. Ensure the deployed Squid version is patched before relying on detection alone. ↗
- ·The issue is most commonly triggered when Squid is configured to use external_acl_type with cookie or custom header extraction using non-comma delimiters, not just auth headers as the CVE description implies. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2010-02-16·CVSS 5.0
CVE-2009-2855 [MEDIUM] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Squid vulnerabilities
It was discovered that Squid incorrectly handled certain auth headers. A
remote attacker could exploit this with a specially-crafted auth header
and cause Squid to go into an infinite loop, resulting in a denial of
service. This issue only affected Ubuntu 8.10, 9.04 and 9.10.
(CVE-2009-2855)
It was discovered that Squid incorrectly handled certain DNS packets. A
remote attacker could exploit this with a specially-crafted DNS packet
and cause Squid to crash, resulting in a denial of service. (CVE-2010-0308)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
squid: DoS (100% CPU use) while processing certain external ACL helper HTTP headers
vendor_redhat·2009-06-28·CVSS 5.0
CVE-2009-2855 [MEDIUM] squid: DoS (100% CPU use) while processing certain external ACL helper HTTP headers
squid: DoS (100% CPU use) while processing certain external ACL helper HTTP headers
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
Statement: This issue did not affect the versions of the squid packages, as shipped with Red Hat Enterprise Linux 3 and 4.
Debian
CVE-2009-2855: squid - The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote ...
vendor_debian·2009·CVSS 5.0
CVE-2009-2855 [MEDIUM] CVE-2009-2855: squid - The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote ...
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
Scope: local
bookworm: resolved (fixed in 2.7.STABLE7-1)
bullseye: resolved (fixed in 2.7.STABLE7-1)
forky: resolved (fixed in 2.7.STABLE7-1)
sid: resolved (fixed in 2.7.STABLE7-1)
trixie: resolved (fixed in 2.7.STABLE7-1)
GHSA
GHSA-7hrp-6jq3-pm4q: The strListGetItem function in src/HttpHeaderTools
ghsa_unreviewed·2022-05-02
CVE-2009-2855 [MEDIUM] CWE-20 GHSA-7hrp-6jq3-pm4q: The strListGetItem function in src/HttpHeaderTools
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
OSV
CVE-2009-2855: The strListGetItem function in src/HttpHeaderTools
osv·2009-08-18·CVSS 5.0
CVE-2009-2855 [MEDIUM] CVE-2009-2855: The strListGetItem function in src/HttpHeaderTools
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-2855 squid: DoS (100% CPU use) while processing certain external ACL helper HTTP headers
bugzilla·2009-08-19·CVSS 5.0
CVE-2009-2855 [MEDIUM] CVE-2009-2855 squid: DoS (100% CPU use) while processing certain external ACL helper HTTP headers
CVE-2009-2855 squid: DoS (100% CPU use) while processing certain external ACL helper HTTP headers
A denial of service flaw was found in the way Squid used to process
certain external ACL helper HTTP-Header fields (%{header:member}), where is not a comma. Remote attacker could use this flaw
to cause an excessive CPU use by issuing such a request to the Squid
server.
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2855 to
this vulnerability:
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7
allows remote attackers to cause a denial of service via a crafted
auth header with certain comma delimiters that trigger an infinite
loop of calls to the strcspn function.
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2855
[2] http://www.o
Bugzilla
squid DoS in external auth header parser
bugzilla·2009-07-06·CVSS 5.0
[MEDIUM] squid DoS in external auth header parser
squid DoS in external auth header parser
A DoS condition in squid was reported [1] in the Debian bug tracker where certain headers using defined delimiters (such as ','), and used by either external authentication or access log formats that include parts of the headers with delimiters, could cause squid to crash. Configuration details and gdb output is included in the Debian bug.
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982
Discussion:
This is now noted upstream:
http://www.squid-cache.org/bugs/show_bug.cgi?id=2704
No additional information or response from upstream as of yet.
---
This is CVE-2009-2855.
*** This bug has been marked as a duplicate of bug 518182 ***
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31%3Bfilename=diff%3Batt=1%3Bbug=534982http://www.openwall.com/lists/oss-security/2009/07/20/10http://www.openwall.com/lists/oss-security/2009/08/03/3http://www.openwall.com/lists/oss-security/2009/08/04/6http://www.securityfocus.com/bid/36091http://www.securitytracker.com/id?1022757http://www.squid-cache.org/bugs/show_bug.cgi?id=2541http://www.squid-cache.org/bugs/show_bug.cgi?id=2704https://bugzilla.redhat.com/show_bug.cgi?id=518182https://exchange.xforce.ibmcloud.com/vulnerabilities/52610https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10592http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31%3Bfilename=diff%3Batt=1%3Bbug=534982http://www.openwall.com/lists/oss-security/2009/07/20/10http://www.openwall.com/lists/oss-security/2009/08/03/3http://www.openwall.com/lists/oss-security/2009/08/04/6http://www.securityfocus.com/bid/36091http://www.securitytracker.com/id?1022757http://www.squid-cache.org/bugs/show_bug.cgi?id=2541http://www.squid-cache.org/bugs/show_bug.cgi?id=2704https://bugzilla.redhat.com/show_bug.cgi?id=518182https://exchange.xforce.ibmcloud.com/vulnerabilities/52610https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10592
2009-08-18
Published