cbcvebase.
CVE-2014-7141
published 2014-11-26

CVE-2014-7141: The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a…

PriorityP346medium6.4CVSS 2.0
AVNACLAuNCPINAP
EPSS
76.06%
99.5th percentile
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

Affected

85 ranges· showing 25
VendorProductVersion rangeFixed in
debiansquid< squid 4.1-1 (bookworm)squid 4.1-1 (bookworm)
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered by a crafted ICMP type value in an ICMPv6 packet; the type value is ANDed with 0x7f (limiting it to 0–127) and used as an out-of-bounds array index into icmp6HighPktStr[] (33 entries) or icmp6LowPktStr[] (10 entries) — monitor for anomalous ICMP/ICMPv6 packets with unusual type values directed at Squid pinger.
  • ICMPv4 handling in the pinger is also affected: icmpPktStr[] has only 18 entries but the 8-bit icmp_type from the received packet is used as an index without validation, allowing overread of up to (256-18)*sizeof(char*) — detect crafted ICMPv4 replies with type values ≥ 18 sent to the Squid pinger process.
  • Only the 'pinger' sub-process of Squid is affected, not the main Squid process; focus crash/DoS detection on the pinger child process rather than the main squid daemon.
  • ·Squid packages shipped with Red Hat Enterprise Linux 5, 6, and 7 (and Fedora) do not build or include the 'pinger' program, so those deployments are not affected even though the vulnerable source code is present.
  • ·The vulnerability was introduced in Squid 3.x; Squid 2.x (shipped with RHEL 5 and earlier) is not affected by the ICMPv6 variant (CVE-2014-7141), though the ICMPv4 OOB read does exist in Squid 2.x.
  • ·The fix for CVE-2014-7141 is in upstream revision 13583; the same commit also fixes the related CVE-2014-7142 (integer underflow in ICMP reply size computation).

CVSS provenance

nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv6.4MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.