cbcvebase.
CVE-2014-3609
published 2014-09-11

CVE-2014-3609: HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted…

PriorityP337medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
56.22%
98.9th percentile
HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values."

Affected

93 ranges· showing 25
VendorProductVersion rangeFixed in
debiansquid< squid 2.7.STABLE9-5 (bookworm)squid 2.7.STABLE9-5 (bookworm)
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid

Detection & IOCsextracted from sources · hover to see the quote

otheracl validRange req_header Range ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$
otheracl validRange req_header Request-Range ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$
  • Detect exploitation attempts by inspecting HTTP Range and Request-Range headers for byte-range values that do not conform to the standard numeric format (e.g., non-numeric or unidentifiable byte-range values). Malformed Range headers targeting this CVE will fail to match the pattern: ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$
  • Monitor Squid proxy logs and process health for unexpected assertion failures or crashes in the child process, which are indicative of active exploitation. The master process will re-spawn the child, so repeated short-lived child processes are a signal.
  • The vulnerable code path is in HttpHdrRange.cc. If source-level monitoring or integrity checking is in scope, focus on this file in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6.
  • Apply the squid.conf ACL workaround to block requests with non-conforming Range headers above any http_access allow lines: deny requests where Range/Request-Range does not match the valid bytes= pattern.
  • ·The ACL workaround must be placed above any 'http_access allow' lines in squid.conf to be effective; misplacement will render it non-functional.
  • ·The vulnerability and the ACL workaround also affect older Squid 2.x versions (e.g., those shipped with RHEL 5), not just the 3.x branch.
  • ·Red Hat Enterprise Linux 4 will not receive a fix for this CVE (marked 'Will not fix').

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.