CVE-2019-12524
published 2020-04-15CVE-2019-12524: An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.15%
89.6th percentile
An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | squid | < squid 4.8-1 (bookworm) | squid 4.8-1 (bookworm) |
| squid-cache | squid | <= 4.7 | — |
| squid | squid | >= 0 < 4.8-1 | 4.8-1 |
| squid | squid | >= 0 < 4.8-1 | 4.8-1 |
| squid | squid | >= 0 < 4.8-1 | 4.8-1 |
| squid | squid | >= 0 < 4.8-1 | 4.8-1 |
Detection & IOCsextracted from sources · hover to see the quote
commandecho -e "GET https://hackerone.com%2f%[email protected]:8080/html/alert.html HTTP/1.1\r\n\r\n" |nc 3128↗
- →Detect URL-encoded Cache Manager access bypass: look for percent-encoded sequences (%2f, %3f, etc.) in requests targeting Squid's Cache Manager path (cachemgr.cgi or /squid-internal-mgr/) that, when decoded, resolve to the blocked resource. ↗
- →Detect HTTPS cache poisoning attempts: look for requests where the URL contains percent-encoded slashes and question marks in the userinfo/host portion (e.g., host%2f%3f@attacker-ip:port/path) sent to Squid proxy port 3128. ↗
- →Detect FTP cache poisoning attempts: look for FTP requests with an @ symbol in the URL path (e.g., ftp://target.com/?@attacker-ip:port/payload) sent through Squid proxy, which abuses userInfo URL decoding to poison the cache. ↗
- →Monitor Squid access logs for requests containing URL-encoded special characters (%2F, %3F, %40) in the host/userinfo portion of HTTPS or FTP URLs, which indicate exploitation of the url_regex ACL bypass or cache poisoning. ↗
- →Flag cache HIT responses (X-Cache: HIT) served for requests whose URL contains an @ symbol with an IP address in the path, as this indicates a poisoned cache entry is being served to a victim. ↗
- →The vulnerability exists in Squid through version 4.7 for HTTPS cache poisoning and through 4.9 for FTP cache poisoning; flag any Squid instance reporting these versions in its Server header (e.g., Server: squid/4.7, squid/4.9). ↗
- ·HTTPS cache poisoning (CVE-2019-12524) only applies when Squid is configured with ssl-bump and dynamic certificate generation (generate-host-certificates=on). Default Squid configurations without SSL bump are not vulnerable to the HTTPS variant. ↗
- ·The fix for CVE-2019-12524 only addressed the HTTPS aspect of cache poisoning; FTP cache poisoning remained exploitable until Squid 4.10, so patching to 4.8 alone does not fully remediate the FTP variant. ↗
- ·The url_regex ACL bypass affects the Cache Manager access control rule specifically; other ACL types are not affected by this URL-decoding issue. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid regression
vendor_ubuntu·2020-08-27·CVSS 7.5
[HIGH] Squid regression
Title: Squid regression
Summary: USN-4446-1 introduced a regression in Squid.
USN-4446-1 fixed vulnerabilities in Squid. The update introduced a
regression when using Squid with the icap or ecap protocols. This update
fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Jeriko One discovered that Squid incorrectly handled caching certain
requests. A remote attacker could possibly use this issue to perform
cache-injection attacks or gain access to reverse proxy features such as
ESI. (CVE-2019-12520)
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled certain URN requests. A remote attacker could possibly use this
issue to bypass access checks. (CVE-2019-12523)
Jeriko One discovered that Squid incorrectly handled URL decoding. A
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2020-08-03·CVSS 7.5
CVE-2019-12520 [HIGH] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Jeriko One discovered that Squid incorrectly handled caching certain
requests. A remote attacker could possibly use this issue to perform
cache-injection attacks or gain access to reverse proxy features such as
ESI. (CVE-2019-12520)
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled certain URN requests. A remote attacker could possibly use this
issue to bypass access checks. (CVE-2019-12523)
Jeriko One discovered that Squid incorrectly handled URL decoding. A remote
attacker could possibly use this issue to bypass certain rule checks.
(CVE-2019-12524)
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled input validation. A remote attacker could use
Red Hat
squid: Improper access restriction in url_regex may lead to security bypass
vendor_redhat·2020-04-24·CVSS 9.8
CVE-2019-12524 [CRITICAL] CWE-20 squid: Improper access restriction in url_regex may lead to security bypass
squid: Improper access restriction in url_regex may lead to security bypass
An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.
A flaw was found in squid. The Cache Manager for Squid has rules that, by default, block access to anyone other than the maintainer. An attacker, with the ability to send a properly crafted URL, can bypass the url_rege
Debian
CVE-2019-12524: squid - An issue was discovered in Squid through 4.7. When handling requests from users,...
vendor_debian·2019·CVSS 9.8
CVE-2019-12524 [CRITICAL] CVE-2019-12524: squid - An issue was discovered in Squid through 4.7. When handling requests from users,...
An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.
Scope: local
bookworm: resolved (fixed in 4.8-1)
bullseye: resolved (fixed in 4.8-1)
forky: resolved (fixed in 4.8-1)
sid: resolved (fixed in 4.8-1)
trixie: resolved (fixed in 4.8-1)
GHSA
GHSA-wwv6-9vqw-fwxx: An issue was discovered in Squid through 4
ghsa_unreviewed·2022-05-24
CVE-2019-12524 [HIGH] CWE-306 GHSA-wwv6-9vqw-fwxx: An issue was discovered in Squid through 4
An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.
OSV
squid3 regression
osv·2020-08-27·CVSS 7.5
CVE-2019-12520 [HIGH] squid3 regression
squid3 regression
USN-4446-1 fixed vulnerabilities in Squid. The update introduced a
regression when using Squid with the icap or ecap protocols. This update
fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Jeriko One discovered that Squid incorrectly handled caching certain
requests. A remote attacker could possibly use this issue to perform
cache-injection attacks or gain access to reverse proxy features such as
ESI. (CVE-2019-12520)
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled certain URN requests. A remote attacker could possibly use this
issue to bypass access checks. (CVE-2019-12523)
Jeriko One discovered that Squid incorrectly handled URL decoding. A remote
attacker could possibly use this issue to bypass certa
OSV
squid3 vulnerabilities
osv·2020-08-03·CVSS 7.5
CVE-2019-12520 [HIGH] squid3 vulnerabilities
squid3 vulnerabilities
Jeriko One discovered that Squid incorrectly handled caching certain
requests. A remote attacker could possibly use this issue to perform
cache-injection attacks or gain access to reverse proxy features such as
ESI. (CVE-2019-12520)
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled certain URN requests. A remote attacker could possibly use this
issue to bypass access checks. (CVE-2019-12523)
Jeriko One discovered that Squid incorrectly handled URL decoding. A remote
attacker could possibly use this issue to bypass certain rule checks.
(CVE-2019-12524)
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled input validation. A remote attacker could use this issue to cause
Squid to crash, resulting in a denial of
OSV
CVE-2019-12524: An issue was discovered in Squid through 4
osv·2020-04-15·CVSS 9.8
CVE-2019-12524 [CRITICAL] CVE-2019-12524: An issue was discovered in Squid through 4
An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.
No detection rules found.
No public exploits indexed.
HackerOne
Cache Poisoning
hackerone·2021-08-26·CVSS 7.5
CVE-2019-12524 [HIGH] Cache Poisoning
Cache Poisoning
## Summary:
An attacker can cause Squid to return to the user attacker controlled data, for any domain. From Squid-4.7 and below both HTTPS and FTP could be poisoned. This is due to Squid URL decoding parts of the Request URL and using that to create a hash. Request that decode to the same URL will retrieve the same cached response even if they're from different domains.
The fix for CVE-2019-12524 removed the HTTPS aspect of it, but FTP poisoning was still possible till Squid-4.10.
3128
nc: using stream socket
HTTP/1.1 200 Gatewaying
Server: squid/4.9
Mime-Version: 1.0
Date: Thu, 19 Mar 2020 15:57:04 GMT
Content-Type: text/plain
Last-Modified: Wed, 27 Mar 2019 19:14:54 GMT
Age: 79
X-Cache: HIT from g64
Transfer-Encoding: chunked
Via: 1.1 g64 (squid/4.9)
Connection: keep-
Bugzilla
CVE-2019-12524 squid: Improper access restriction in url_regex may lead to security bypass
bugzilla·2020-04-24·CVSS 9.8
CVE-2019-12524 [CRITICAL] CVE-2019-12524 squid: Improper access restriction in url_regex may lead to security bypass
CVE-2019-12524 squid: Improper access restriction in url_regex may lead to security bypass
Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.
Discussion:
Upstream Issue:
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt
---
Patch:
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2019_4.patch
---
External References:
http://www.squid-cache.org/Advisories/SQUID-2019_4.txt
---
This bug is now closed. Further updates for individual products
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txthttps://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlhttps://security.netapp.com/advisory/ntap-20210205-0006/https://usn.ubuntu.com/4446-1/https://www.debian.org/security/2020/dsa-4682https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txthttps://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlhttps://security.netapp.com/advisory/ntap-20210205-0006/https://usn.ubuntu.com/4446-1/https://www.debian.org/security/2020/dsa-4682
2020-04-15
Published