cbcvebase.
CVE-2018-1000027
published 2018-02-09

CVE-2018-1000027: The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response…

PriorityP344high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
13.15%
95.9th percentile
The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later.

Affected

12 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debiansquid< squid 4.1-1 (bookworm)squid 4.1-1 (bookworm)
squid-cachesquid< 4.0.234.0.23
squidsquid>= 0 < 4.1-14.1-1
squidsquid>= 0 < 4.1-14.1-1
squidsquid>= 0 < 4.1-14.1-1
squidsquid>= 0 < 4.1-14.1-1

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: a remote HTTP server responds with an X-Forwarded-For header to certain types of HTTP requests directed at the Squid proxy, causing a NULL pointer dereference crash (DoS).
  • Vulnerable component is Squid HTTP Caching Proxy versions prior to 4.0.23 (4.x branch) and prior to 3.5.27 (3.x branch); monitor for NULL pointer dereference crashes in squid process.
  • Attack vector involves a combination of a crafted client HTTP request AND a specific trusted server response; monitor for unexpected Squid crashes correlated with upstream server X-Forwarded-For header responses.
  • Upstream vendor patches are available for both 3.5 and 4.x branches; reference patch files for diff-based detection of the vulnerable code paths.
  • ·Workaround: setting 'log_uses_indirect_client off' in the Squid configuration file mitigates the vulnerability by disabling the vulnerable X-Forwarded-For header processing code path.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.