CVE-2020-11945
published 2020-04-23CVE-2020-11945: An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
27.25%
97.8th percentile
An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials).
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | squid | < squid 4.11-1 (bookworm) | squid 4.11-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opensuse | leap | — | — |
| squid-cache | squid | 3.0 – 3.5.28 | — |
| squid-cache | squid | >= 4.0 < 4.11 | 4.11 |
| squid-cache | squid | >= 5.0 < 5.0.2 | 5.0.2 |
| squid | squid | >= 0 < 4.11-1 | 4.11-1 |
| squid | squid | >= 0 < 4.11-1 | 4.11-1 |
| squid | squid | >= 0 < 4.11-1 | 4.11-1 |
| squid | squid | >= 0 < 4.11-1 | 4.11-1 |
| squid | squid | >= 0 < 4.10-1ubuntu1.1 | 4.10-1ubuntu1.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect Digest Authentication nonce replay attempts against Squid proxy — attacker sniffs a valid nonce and replays it to overflow the short-integer nonce reference counter, gaining access to forbidden resources or triggering RCE when pooled token credentials are freed. ↗
- →Monitor Squid proxy logs for repeated reuse of the same Digest Authentication nonce value across multiple requests, especially from the same source IP — this is the core replay behaviour exploiting the counter overflow. ↗
- →Flag Squid versions prior to 5.0.2 (or Debian package prior to 4.11-1) as vulnerable; presence of these versions in inventory warrants priority patching and traffic inspection for nonce-replay patterns. ↗
- ·The vulnerability is only exploitable when Squid is configured to use Digest Authentication; deployments using Basic, NTLM, Kerberos, or no authentication are not affected by this specific nonce-replay vector. ↗
- ·RCE is conditional — it only occurs if the overflowed nonce counter causes pooled token credentials to be freed rather than replayed; unauthorized access to forbidden resources is the more reliable outcome. ↗
- ·Red Hat Enterprise Linux 5 is out of support scope and RHEL 6 packages (squid, squid34) will not be fixed; detection and mitigation controls are especially important on those platforms. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2020-05-13·CVSS 9.8
CVE-2019-12519 [CRITICAL] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Jeriko One discovered that Squid incorrectly handled certain Edge Side
Includes (ESI) responses. A malicious remote server could cause Squid to
crash, possibly poison the cache, or possibly execute arbitrary code.
(CVE-2019-12519, CVE-2019-12521)
It was discovered that Squid incorrectly handled the hostname parameter to
cachemgr.cgi when certain browsers are used. A remote attacker could
possibly use this issue to inject HTML or invalid characters in the
hostname parameter. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04
LTS, and Ubuntu 19.10. (CVE-2019-18860)
Clément Berthaux and Florian Guilbert discovered that Squid incorrectly
handled Digest Authentication nonce values. A remote attacker coul
Red Hat
squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution
vendor_redhat·2020-04-24·CVSS 9.8
CVE-2020-11945 [CRITICAL] CWE-284 squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution
squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution
An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials).
A flaw was found in Squid, where a remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This issue occurs because the attacker can overflow the nonce reference counter, which results in remote code execution if the pooled token creden
Debian
CVE-2020-11945: squid - An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sn...
vendor_debian·2020·CVSS 9.8
CVE-2020-11945 [CRITICAL] CVE-2020-11945: squid - An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sn...
An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials).
Scope: local
bookworm: resolved (fixed in 4.11-1)
bullseye: resolved (fixed in 4.11-1)
forky: resolved (fixed in 4.11-1)
sid: resolved (fixed in 4.11-1)
trixie: resolved (fixed in 4.11-1)
GHSA
GHSA-82gh-fr9f-867h: An issue was discovered in Squid before 5
ghsa_unreviewed·2022-05-24
CVE-2020-11945 [HIGH] CWE-190 GHSA-82gh-fr9f-867h: An issue was discovered in Squid before 5
An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials).
OSV
squid, squid3 vulnerabilities
osv·2020-05-13·CVSS 9.8
CVE-2019-12519 [CRITICAL] squid, squid3 vulnerabilities
squid, squid3 vulnerabilities
Jeriko One discovered that Squid incorrectly handled certain Edge Side
Includes (ESI) responses. A malicious remote server could cause Squid to
crash, possibly poison the cache, or possibly execute arbitrary code.
(CVE-2019-12519, CVE-2019-12521)
It was discovered that Squid incorrectly handled the hostname parameter to
cachemgr.cgi when certain browsers are used. A remote attacker could
possibly use this issue to inject HTML or invalid characters in the
hostname parameter. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04
LTS, and Ubuntu 19.10. (CVE-2019-18860)
Clément Berthaux and Florian Guilbert discovered that Squid incorrectly
handled Digest Authentication nonce values. A remote attacker could
use this issue to replay nonce values, or possibly e
OSV
CVE-2020-11945: An issue was discovered in Squid before 5
osv·2020-04-23·CVSS 9.8
CVE-2020-11945 [CRITICAL] CVE-2020-11945: An issue was discovered in Squid before 5
An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials).
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-11945 squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution [fedora-all]
bugzilla·2020-04-24·CVSS 9.8
CVE-2020-11945 [CRITICAL] CVE-2020-11945 squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution [fedora-all]
CVE-2020-11945 squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit m
Bugzilla
CVE-2020-11945 squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution
bugzilla·2020-04-24·CVSS 9.8
CVE-2020-11945 [CRITICAL] CVE-2020-11945 squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution
CVE-2020-11945 squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution
A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter, which may result in Remote code execution if the pooled token credentials are freed.
Discussion:
Created squid tracking bugs for this issue:
Affects: fedora-all [bug 1827564]
---
Upstream Fix:
https://github.com/squid-cache/squid/pull/585
---
External References:
http://www.squid-cache.org/Advisories/SQUID-2020_4.txt
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions
Via RHSA-2020:203
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.htmlhttp://master.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patchhttp://www.openwall.com/lists/oss-security/2020/04/23/2http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patchhttps://bugzilla.suse.com/show_bug.cgi?id=1170313https://github.com/squid-cache/squid/commit/eeebf0f37a72a2de08348e85ae34b02c34e9a811https://github.com/squid-cache/squid/pull/585https://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FWQRYZJPHAZBLXJ56FPCHJN5X2FP3VA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4MWXEZAJSOGRJSS2JCJK4WBSND4IV46/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RV2VZWFJNO3B56IVN56HHKJASG5DYUIX/https://security.gentoo.org/glsa/202005-05https://security.netapp.com/advisory/ntap-20210304-0004/https://usn.ubuntu.com/4356-1/https://www.debian.org/security/2020/dsa-4682http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.htmlhttp://master.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patchhttp://www.openwall.com/lists/oss-security/2020/04/23/2http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patchhttps://bugzilla.suse.com/show_bug.cgi?id=1170313https://github.com/squid-cache/squid/commit/eeebf0f37a72a2de08348e85ae34b02c34e9a811https://github.com/squid-cache/squid/pull/585https://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FWQRYZJPHAZBLXJ56FPCHJN5X2FP3VA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4MWXEZAJSOGRJSS2JCJK4WBSND4IV46/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RV2VZWFJNO3B56IVN56HHKJASG5DYUIX/https://security.gentoo.org/glsa/202005-05https://security.netapp.com/advisory/ntap-20210304-0004/https://usn.ubuntu.com/4356-1/https://www.debian.org/security/2020/dsa-4682
2020-04-23
Published