CVE-2020-24606 — Improper Locking in Squid

CWE-667 — Improper Locking CWE-20 — Improper Input Validation10 documents7 sources

Severity

7.5HIGHNVD

CNA8.6

EPSS

6.3%

top 8.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid Canonical Ubuntu Linux +3 more

Timeline

PublishedAug 24

Latest updateSep 28

Description

Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDsquid-cache/squid3.0 — 4.13+1

▶Debiansquid/squid< 4.13-1+3

▶NVDopensuse/leap15.1, 15.2+1

Also affects: Debian Linux 10.0, 9.0, Fedora 31, 32, 33, Ubuntu Linux 16.04, 18.04, 20.04

Patches

Patch: www.squid-cache.org ↗Patch: www.squid-cache.org ↗

🔴Vulnerability Details

OSV

squid vulnerabilities↗2020-08-27

▶

OSV

CVE-2020-24606: Squid before 4↗2020-08-24

▶

CVEList

CVE-2020-24606: Squid before 4↗2020-08-24

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2020-09-28

▶

Ubuntu

Squid vulnerabilities↗2020-08-27

▶

Red Hat

squid: Improper input validation could result in a DoS↗2020-08-23

▶

Debian

CVE-2020-24606: squid - Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial o...↗2020

▶

💬Community

Bugzilla

CVE-2020-24606 squid: Improper input validation could result in a DoS↗2020-08-24

▶

Bugzilla

CVE-2020-24606 squid: Improper Input Validation could result in a DoS [fedora-all]↗2020-08-24

▶