CVE-2014-0128
published 2014-04-14CVE-2014-0128: Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted…
PriorityP335medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
32.63%
98.1th percentile
Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management.
Affected
88 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | — | — |
| opensuse | opensuse | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is only exploitable when SSL-Bump is enabled on Squid. Detection should focus on Squid instances with SSL-Bump active receiving crafted HTTP Range requests that trigger an assertion failure/crash. ↗
- →Monitor Squid process logs for assertion failures; a crash/assertion in Squid with SSL-Bump enabled is a strong indicator of exploitation attempts. ↗
- →Squid versions 3.1 through 3.3.11 and 3.4 through 3.4.3 are vulnerable; versions 3.0 and older and version 2 are not affected. Use version fingerprinting to identify exposed instances. ↗
- ·The vulnerability only exists when SSL-Bump is enabled. Disabling SSL-Bump entirely removes the attack surface. ↗
- ·A partial mitigation is to add 'ssl_bump none' rules at the top of ssl_bump configuration to disable SSL-Bump for affected clients without fully removing the feature. ↗
- ·Red Hat Enterprise Linux 5 shipped Squid without SSL-Bump support and is therefore not affected; RHEL 6 was addressed via RHSA-2014:0597. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m2w9-x6qf-9vf9: Squid 3
ghsa_unreviewed·2022-05-14
CVE-2014-0128 [MEDIUM] CWE-20 GHSA-m2w9-x6qf-9vf9: Squid 3
Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management.
OSV
CVE-2014-0128: Squid 3
osv·2014-04-14·CVSS 5.0
CVE-2014-0128 [MEDIUM] CVE-2014-0128: Squid 3
Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management.
Red Hat
squid: denial of service when using SSL-Bump
vendor_redhat·2014-03-09·CVSS 5.0
CVE-2014-0128 [MEDIUM] squid: denial of service when using SSL-Bump
squid: denial of service when using SSL-Bump
Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management.
Statement: This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5 as they did not include support for SSL-bump.
Mitigation: To work-around this issue, disable SSL-bump for clients affected by adding "ssl_bump none" rule(s) at the top of the ssl_bump configuration directives. Alternatively, disable the SSL-bump feature completely by removing the "ssl-bump" option from all http_port and/or https_port configuration directives.
Package: squid (Red Hat Enterprise Linux 5) - Not affected
Package: squid (Red Hat
Debian
CVE-2014-0128: squid - Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows r...
vendor_debian·2014·CVSS 5.0
CVE-2014-0128 [MEDIUM] CVE-2014-0128: squid - Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows r...
Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-0128 squid: denial of service when using SSL-Bump
bugzilla·2014-03-11·CVSS 5.0
CVE-2014-0128 [MEDIUM] CVE-2014-0128 squid: denial of service when using SSL-Bump
CVE-2014-0128 squid: denial of service when using SSL-Bump
A denial of service flaw was found in Squid when SSL-Bump[1] was used. When SSL-Bump is enabled, an attacker could send crafted requests that would cause Squid to crash with an assertion.
This issue affects versions 3.1 and later. Versions 3.0 and older, and version 2, are not vulnerable. The issue was fixed in versions 3.3.12 and 3.4.4.
[1] http://wiki.squid-cache.org/Features/SslBump
Upstream patches:
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12677.patch
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13104.patch
Acknowledgements:
Red Hat would like to thank the Squid project for reporting this issue. Upstream acknowledges Mathias Fischer and Fabian Hugelshofer from Open Systems AG as t
Bugzilla
CVE-2014-0128 squid: denial of service when using SSL-Bump [fedora-all]
bugzilla·2014-03-11·CVSS 5.0
CVE-2014-0128 [MEDIUM] CVE-2014-0128 squid: denial of service when using SSL-Bump [fedora-all]
CVE-2014-0128 squid: denial of service when using SSL-Bump [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects m
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlhttp://lists.opensuse.org/opensuse-updates/2014-04/msg00030.htmlhttp://lists.opensuse.org/opensuse-updates/2014-04/msg00060.htmlhttp://secunia.com/advisories/57288http://secunia.com/advisories/57889http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlhttp://www.securityfocus.com/bid/66112http://www.squid-cache.org/Advisories/SQUID-2014_1.txthttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.htmlhttp://lists.opensuse.org/opensuse-updates/2014-04/msg00030.htmlhttp://lists.opensuse.org/opensuse-updates/2014-04/msg00060.htmlhttp://secunia.com/advisories/57288http://secunia.com/advisories/57889http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlhttp://www.securityfocus.com/bid/66112http://www.squid-cache.org/Advisories/SQUID-2014_1.txt
2014-04-14
Published