CVE-2014-3609
published 2014-09-11CVE-2014-3609: HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted…
PriorityP337medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
56.22%
98.9th percentile
HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values."
Affected
93 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 2.7.STABLE9-5 (bookworm) | squid 2.7.STABLE9-5 (bookworm) |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otheracl validRange req_header Range ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$↗
otheracl validRange req_header Request-Range ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$↗
- →Detect exploitation attempts by inspecting HTTP Range and Request-Range headers for byte-range values that do not conform to the standard numeric format (e.g., non-numeric or unidentifiable byte-range values). Malformed Range headers targeting this CVE will fail to match the pattern: ^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$ ↗
- →Monitor Squid proxy logs and process health for unexpected assertion failures or crashes in the child process, which are indicative of active exploitation. The master process will re-spawn the child, so repeated short-lived child processes are a signal. ↗
- →The vulnerable code path is in HttpHdrRange.cc. If source-level monitoring or integrity checking is in scope, focus on this file in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6. ↗
- →Apply the squid.conf ACL workaround to block requests with non-conforming Range headers above any http_access allow lines: deny requests where Range/Request-Range does not match the valid bytes= pattern. ↗
- ·The ACL workaround must be placed above any 'http_access allow' lines in squid.conf to be effective; misplacement will render it non-functional. ↗
- ·The vulnerability and the ACL workaround also affect older Squid 2.x versions (e.g., those shipped with RHEL 5), not just the 3.x branch. ↗
- ·Red Hat Enterprise Linux 4 will not receive a fix for this CVE (marked 'Will not fix'). ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid 3 vulnerability
vendor_ubuntu·2014-08-28
CVE-2014-3609 Squid 3 vulnerability
Title: Squid 3 vulnerability
Summary: Squid could be made to crash if it received specially crafted network
traffic.
Matthew Daley discovered that Squid 3 did not properly perform input
validation in request parsing. A remote attacker could send crafted Range
requests to cause a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
squid: assertion failure in Range header processing (SQUID-2014:2)
vendor_redhat·2014-08-28·CVSS 5.0
CVE-2014-3609 [MEDIUM] CWE-228 squid: assertion failure in Range header processing (SQUID-2014:2)
squid: assertion failure in Range header processing (SQUID-2014:2)
HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values."
A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.
Package: squid (Red Hat Enterprise Linux 4) - Will not fix
Debian
CVE-2014-3609: squid - HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote ...
vendor_debian·2014·CVSS 5.0
CVE-2014-3609 [MEDIUM] CVE-2014-3609: squid - HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote ...
HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values."
Scope: local
bookworm: resolved (fixed in 2.7.STABLE9-5)
bullseye: resolved (fixed in 2.7.STABLE9-5)
forky: resolved (fixed in 2.7.STABLE9-5)
sid: resolved (fixed in 2.7.STABLE9-5)
trixie: resolved (fixed in 2.7.STABLE9-5)
GHSA
GHSA-wfpr-78ph-w6wr: HttpHdrRange
ghsa_unreviewed·2022-05-17
CVE-2014-3609 [MEDIUM] CWE-20 GHSA-wfpr-78ph-w6wr: HttpHdrRange
HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values."
OSV
CVE-2014-3609: HttpHdrRange
osv·2014-09-11·CVSS 5.0
CVE-2014-3609 [MEDIUM] CVE-2014-3609: HttpHdrRange
HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values."
No detection rules found.
No public exploits indexed.
arXiv
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response
arxiv_fulltext·2017-11-02
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response
Zhen Huang0.25in
Mariana D'Angelo0.25in
Dhaval Miyani0.25in
David Lie
University of Toronto
\z.huang,mariana.dangelo,dhaval.miyani\@mail.utoronto.ca,[email protected]
## Abstract
There is often a considerable delay between the discovery of a vulnerability and the issue of a patch. One way to mitigate this window of vulnerability is to use a configuration workaround, which prevents the vulnerable code from being executed at the cost of some lost functionality -- but only if one is available. Since application configurations are not specifically designed to mitigate software vulnerabilities, we find that they only cover 25.2% of vulnerabilities.
To minimize patch delay vulnerabilities and address the lim
Bugzilla
CVE-2014-3609 squid: assertion failure in Range header processing [fedora-all]
bugzilla·2014-08-28·CVSS 5.0
CVE-2014-3609 [MEDIUM] CVE-2014-3609 squid: assertion failure in Range header processing [fedora-all]
CVE-2014-3609 squid: assertion failure in Range header processing [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
Bugzilla
CVE-2014-3609 squid: assertion failure in Range header processing (SQUID-2014:2)
bugzilla·2014-08-27·CVSS 5.0
CVE-2014-3609 [MEDIUM] CVE-2014-3609 squid: assertion failure in Range header processing (SQUID-2014:2)
CVE-2014-3609 squid: assertion failure in Range header processing (SQUID-2014:2)
A denial of service flaw was found in Squid's Range header processing. An attacker could send crafted requests that would cause Squid to crash with an assertion.
A patch is available from the following:
http://www.squid-cache.org/Versions/v3/3.HEAD/changesets/squid-3-13555.patch
For a workaround, upstream says to add the following to squid.conf above any "http_access allow" lines:
acl validRange req_header Range \
^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$
acl validRange req_header Request-Range \
^bytes=([0-9]+\-[0-9]*|\-[0-9]+)(,([0-9]+\-[0-9]*|\-[0-9]+))*$
http_access deny !validRange
External References:
http://www.squid-cache.org/Advisories/SQUID-2014_2.txt
Acknowledgements:
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00025.htmlhttp://lists.opensuse.org/opensuse-updates/2014-09/msg00029.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1147.htmlhttp://secunia.com/advisories/60179http://secunia.com/advisories/60334http://secunia.com/advisories/61320http://secunia.com/advisories/61412http://www.debian.org/security/2014/dsa-3014http://www.debian.org/security/2015/dsa-3139http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlhttp://www.securityfocus.com/bid/69453http://www.squid-cache.org/Advisories/SQUID-2014_2.txthttp://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9201.patchhttp://www.ubuntu.com/usn/USN-2327-1http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00025.htmlhttp://lists.opensuse.org/opensuse-updates/2014-09/msg00029.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1147.htmlhttp://secunia.com/advisories/60179http://secunia.com/advisories/60334http://secunia.com/advisories/61320http://secunia.com/advisories/61412http://www.debian.org/security/2014/dsa-3014http://www.debian.org/security/2015/dsa-3139http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlhttp://www.securityfocus.com/bid/69453http://www.squid-cache.org/Advisories/SQUID-2014_2.txthttp://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9201.patchhttp://www.ubuntu.com/usn/USN-2327-1
2014-09-11
Published