cbcvebase.
CVE-2016-3948
published 2016-04-07

CVE-2016-3948: Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause a denial of service via a crafted HTTP…

PriorityP346high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
35.27%
98.2th percentile
Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause a denial of service via a crafted HTTP response, related to Vary headers.

Affected

153 ranges· showing 25
VendorProductVersion rangeFixed in
debiansquid< squid 4.1-1 (bookworm)squid 4.1-1 (bookworm)
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid
squid-cachesquid

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via a crafted HTTP response containing a malformed Vary header, causing an assertion failure (DoS) in Squid. Monitor for unexpected Squid process crashes or assertion failures originating from HTTP response processing.
  • Refer to the upstream patch for the specific bounds-check code change to build a targeted detection or integrity check: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch
  • Refer to the Squid advisory SQUID-2016_4.txt for additional technical details on the attack vector.
  • ·Affected versions are Squid 3.x before 3.5.16 and 4.x before 4.0.8. Squid on Red Hat Enterprise Linux 5 is not affected; RHEL 6 packages (squid, squid34) are 'Will not fix'.
  • ·The attack is initiated by a malicious upstream HTTP server (not a client), so the threat actor must control or compromise a server that Squid is proxying to.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.