CVE-2019-12526
published 2019-11-26CVE-2019-12526: An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
20.25%
97.1th percentile
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | squid | < squid 4.9-1 (bookworm) | squid 4.9-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opensuse | leap | — | — |
| squid-cache | squid | 3.0 – 3.5.28 | — |
| squid-cache | squid | 4.0 – 4.8 | — |
| squid | squid | >= 0 < 4.9-1 | 4.9-1 |
| squid | squid | >= 0 < 4.9-1 | 4.9-1 |
| squid | squid | >= 0 < 4.9-1 | 4.9-1 |
| squid | squid | >= 0 < 4.9-1 | 4.9-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect URN protocol requests being proxied through Squid — a GET request with a URN scheme (urn:) is the attack vector for this heap overflow ↗
- →Monitor Squid for unexpected child process crashes and PID changes, which indicate successful exploitation of the URN heap overflow ↗
- →The vulnerable code path is triggered via UrnState::operator new → urnStart → FwdState::Start; look for urn.cc stack frames in crash dumps ↗
- →The overflow writes into heap memory adjacent to a 4184-byte UrnState buffer; ASan reports heap-buffer-overflow WRITE at offset 0 bytes past the region end ↗
- ·URN requests are not proxied by default; the vulnerability is only reachable if the Squid configuration explicitly permits the URN protocol (e.g., 'acl Safe_ports port 0'). Deployments without such ACLs are not directly exposed. ↗
- ·Upstream mitigation: add ACL rules to deny the urn: protocol for all clients in squid.conf to block the attack vector without patching. ↗
- ·On Red Hat products, Squid is confined with SELinux, which reduces (but does not eliminate) the risk of arbitrary code execution even if the overflow is triggered. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rqc4-5489-hg7v: An issue was discovered in Squid before 4
ghsa_unreviewed·2022-05-24
CVE-2019-12526 [HIGH] CWE-120 GHSA-rqc4-5489-hg7v: An issue was discovered in Squid before 4
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.
OSV
squid, squid3 vulnerabilities
osv·2019-12-04·CVSS 9.1
CVE-2019-12523 [CRITICAL] squid, squid3 vulnerabilities
squid, squid3 vulnerabilities
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled certain URN requests. A remote attacker could possibly use this
issue to bypass access checks and access restricted servers. This issue was
only addressed in Ubuntu 19.04 and Ubuntu 19.10. (CVE-2019-12523)
Jeriko One discovered that Squid incorrectly handed URN responses. A remote
attacker could use this issue to cause Squid to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2019-12526)
Alex Rousskov discovered that Squid incorrectly handled certain strings. A
remote attacker could possibly use this issue to cause Squid to crash,
resulting in a denial of service. This issue only affected Ubuntu 19.04.
(CVE-2019-12854)
Jeriko One and Kristoffer D
OSV
CVE-2019-12526: An issue was discovered in Squid before 4
osv·2019-11-26·CVSS 9.8
CVE-2019-12526 [CRITICAL] CVE-2019-12526: An issue was discovered in Squid before 4
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2019-12-04·CVSS 9.1
CVE-2019-12523 [CRITICAL] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled certain URN requests. A remote attacker could possibly use this
issue to bypass access checks and access restricted servers. This issue was
only addressed in Ubuntu 19.04 and Ubuntu 19.10. (CVE-2019-12523)
Jeriko One discovered that Squid incorrectly handed URN responses. A remote
attacker could use this issue to cause Squid to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2019-12526)
Alex Rousskov discovered that Squid incorrectly handled certain strings. A
remote attacker could possibly use this issue to cause Squid to crash,
resulting in a denial of service. This issue only affected Ubunt
Red Hat
squid: Heap overflow issue in URN processing
vendor_redhat·2019-11-05·CVSS 9.8
CVE-2019-12526 [CRITICAL] CWE-119 squid: Heap overflow issue in URN processing
squid: Heap overflow issue in URN processing
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.
A heap-based buffer overflow was found in the way squid processed certain Uniform Resource Names (URNs). A remote attacker could use this flaw to cause Squid to crash or execute arbitrary code with the permissions of the user running Squid.
Statement: This is a heap-based buffer overflow, which can be triggered by a malicious client. The client can overwrite substantial amount of heap potentially causing squid to crash or even
Debian
CVE-2019-12526: squid - An issue was discovered in Squid before 4.9. URN response handling in Squid suff...
vendor_debian·2019·CVSS 9.8
CVE-2019-12526 [CRITICAL] CVE-2019-12526: squid - An issue was discovered in Squid before 4.9. URN response handling in Squid suff...
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.
Scope: local
bookworm: resolved (fixed in 4.9-1)
bullseye: resolved (fixed in 4.9-1)
forky: resolved (fixed in 4.9-1)
sid: resolved (fixed in 4.9-1)
trixie: resolved (fixed in 4.9-1)
No detection rules found.
No public exploits indexed.
HackerOne
UrnState Heap Overflow
hackerone·2021-08-26·CVSS 9.8
[CRITICAL] UrnState Heap Overflow
UrnState Heap Overflow
## Summary:
When handling a URN Request an attacker controlled response can cause Squid to overflow a heap buffer. The buffer exist within a struct so not only does it allow an attacker to overflow adjacent memory, but also control a pointer that follows the buffer enabling them to free arbitrary memory. Paired with the Cache Manager bypass that I reported earlier, an attacker will know which addresses are valid. This can lead to RCE and was stated in the serverity of the Squid announce.
Squid Announce: http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
Assigned CVE-2019-12526
## Steps To Reproduce:
You must add the following to your squid.conf to allow URN request
```
acl Safe_ports port 0
```
The squid child will crash even without Asan, but it'll automati
Bugzilla
CVE-2019-12526 squid: Heap overflow issue in URN processing [fedora-all]
bugzilla·2019-11-08·CVSS 9.8
CVE-2019-12526 [CRITICAL] CVE-2019-12526 squid: Heap overflow issue in URN processing [fedora-all]
CVE-2019-12526 squid: Heap overflow issue in URN processing [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of F
Bugzilla
CVE-2019-12526 squid: Heap overflow issue in URN processing
bugzilla·2019-11-08·CVSS 9.8
CVE-2019-12526 [CRITICAL] CVE-2019-12526 squid: Heap overflow issue in URN processing
CVE-2019-12526 squid: Heap overflow issue in URN processing
Due to incorrect buffer management Squid is vulnerable to a heap overflow and possible remote code execution attack when processing URN.
References:
http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
Discussion:
Created squid tracking bugs for this issue:
Affects: fedora-all [bug 1770357]
---
External References:
http://www.squid-cache.org/Advisories/SQUID-2019_7.txt
---
Mitigation:
The following mitigation is suggested by upstream:
Deny urn: protocol URI being proxied to all clients:
~~~
acl URN proto URN
http_access deny URN
~~~
---
Analysis:
This is a heap-based buffer overflow, which can be triggered by a malicious client. The client can overwrite substantial amount of heap potentially causing squid to cras
http://www.squid-cache.org/Advisories/SQUID-2019_7.txthttps://bugzilla.suse.com/show_bug.cgi?id=1156326https://lists.debian.org/debian-lts-announce/2019/12/msg00011.htmlhttps://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/https://security.gentoo.org/glsa/202003-34https://usn.ubuntu.com/4213-1/https://www.debian.org/security/2020/dsa-4682http://www.squid-cache.org/Advisories/SQUID-2019_7.txthttps://bugzilla.suse.com/show_bug.cgi?id=1156326https://lists.debian.org/debian-lts-announce/2019/12/msg00011.htmlhttps://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/https://security.gentoo.org/glsa/202003-34https://usn.ubuntu.com/4213-1/https://www.debian.org/security/2020/dsa-4682
2019-11-26
Published