cbcvebase.
CVE-2024-23638
published 2024-01-24

CVE-2024-23638: Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against…

PriorityP353medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
60.05%
99.0th percentile
Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`.

Affected

12 ranges
VendorProductVersion rangeFixed in
debiansquid< squid 5.7-2+deb12u1 (bookworm)squid 5.7-2+deb12u1 (bookworm)
squid-cachesquid< 6.66.6
squid-cachesquid5.0 – 5.9
squid-cachesquid>= 6.0 < 6.66.6
squidsquid>= 0 < 4.13-10+deb11u34.13-10+deb11u3
squidsquid>= 0 < 5.7-2+deb12u15.7-2+deb12u1
squidsquid>= 0 < 6.6-16.6-1
squidsquid>= 0 < 6.6-16.6-1
squidsquid>= 0 < 4.10-1ubuntu1.114.10-1ubuntu1.11
squidsquid>= 0 < 4.10-1ubuntu1.124.10-1ubuntu1.12
squidsquid>= 0 < 4.10-1ubuntu1.104.10-1ubuntu1.10
squidsquid>= 0 < 5.7-0ubuntu0.22.04.45.7-0ubuntu0.22.04.4

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: a trusted client generates error pages for Cache Manager (Client Manager) reports, exploiting an expired pointer reference bug in Squid's Cache Manager error response handling
  • Workaround/detection choke point: block access to the Cache Manager endpoint via Squid ACL — monitor for attempts to reach the manager endpoint from trusted clients as a detection signal
  • ·Vulnerable version range: Squid-5.x up to and including 5.9, and Squid-6.x up to and including 6.5; versions older than 5.0.5 are untested and assumed vulnerable
  • ·Fixed in Squid 6.6 upstream; Debian bookworm fixed in 5.7-2+deb12u1, bullseye in 4.13-10+deb11u3, forky/sid/trixie in 6.6-1
  • ·Exploitation requires a trusted client (not an arbitrary remote attacker); scope is limited to clients already permitted by Squid's access controls
  • ·Ubuntu USN-6728-1 patch for co-bundled CVE-2023-5824 caused Squid crashes on Ubuntu 20.04 LTS; was reverted in USN-6728-2 and corrected in USN-6728-3 — ensure the correct update is applied

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_ubuntu8.6HIGH
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.