cbcvebase.
CVE-2020-11945
published 2020-04-23

CVE-2020-11945: An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
27.25%
97.8th percentile
An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials).

Affected

19 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiansquid< squid 4.11-1 (bookworm)squid 4.11-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
opensuseleap
squid-cachesquid3.0 – 3.5.28
squid-cachesquid>= 4.0 < 4.114.11
squid-cachesquid>= 5.0 < 5.0.25.0.2
squidsquid>= 0 < 4.11-14.11-1
squidsquid>= 0 < 4.11-14.11-1
squidsquid>= 0 < 4.11-14.11-1
squidsquid>= 0 < 4.11-14.11-1
squidsquid>= 0 < 4.10-1ubuntu1.14.10-1ubuntu1.1

Detection & IOCsextracted from sources · hover to see the quote

  • Detect Digest Authentication nonce replay attempts against Squid proxy — attacker sniffs a valid nonce and replays it to overflow the short-integer nonce reference counter, gaining access to forbidden resources or triggering RCE when pooled token credentials are freed.
  • Monitor Squid proxy logs for repeated reuse of the same Digest Authentication nonce value across multiple requests, especially from the same source IP — this is the core replay behaviour exploiting the counter overflow.
  • Flag Squid versions prior to 5.0.2 (or Debian package prior to 4.11-1) as vulnerable; presence of these versions in inventory warrants priority patching and traffic inspection for nonce-replay patterns.
  • ·The vulnerability is only exploitable when Squid is configured to use Digest Authentication; deployments using Basic, NTLM, Kerberos, or no authentication are not affected by this specific nonce-replay vector.
  • ·RCE is conditional — it only occurs if the overflowed nonce counter causes pooled token credentials to be freed rather than replayed; unauthorized access to forbidden resources is the more reliable outcome.
  • ·Red Hat Enterprise Linux 5 is out of support scope and RHEL 6 packages (squid, squid34) will not be fixed; detection and mitigation controls are especially important on those platforms.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.