9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
8.1 High
AI Score
Confidence
High
0.03 Low
EPSS
Percentile
91.0%
The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5637 advisory.
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using --with-openssl
are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid’s patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages. (CVE-2023-46724)
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid’s Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests. (CVE-2023-46728)
SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.
(CVE-2023-46846)
Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication. (CVE-2023-46847)
Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input. (CVE-2023-46848)
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
(CVE-2023-49285)
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2023-49286)
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid’s patch archives. (CVE-2023-50269)
Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid’s patch archives. As a workaround, prevent access to Cache Manager using Squid’s main access control: http_access deny manager
. (CVE-2024-23638)
Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid’s patch archives. There is no workaround for this issue.
(CVE-2024-25111)
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5.
There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2 (CVE-2024-25617)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5637. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(191759);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/08");
script_cve_id(
"CVE-2023-46724",
"CVE-2023-46728",
"CVE-2023-46846",
"CVE-2023-46847",
"CVE-2023-46848",
"CVE-2023-49285",
"CVE-2023-49286",
"CVE-2023-50269",
"CVE-2024-23638",
"CVE-2024-25111",
"CVE-2024-25617"
);
script_name(english:"Debian dsa-5637 : squid - security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dsa-5637 advisory.
- Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions
3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of
Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial
of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a
server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version
6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch
archives. Those who you use a prepackaged version of Squid should refer to the package vendor for
availability information on updated packages. (CVE-2023-46724)
- Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer
dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The
gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this
bug are possible to be received from any gopher server, even those without malicious intent. Gopher
support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade
should reject all gopher URL requests. (CVE-2023-46728)
- SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote
attacker to perform Request/Response smuggling past firewall and frontend security systems.
(CVE-2023-46846)
- Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by
writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest
Authentication. (CVE-2023-46847)
- Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs
in HTTP Request messages or constructing ftp:// URLs from FTP Native input. (CVE-2023-46848)
- Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug
Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed
by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
(CVE-2023-49285)
- Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of
Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process
management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known
workarounds for this vulnerability. (CVE-2023-49286)
- Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through
2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial
of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of
Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is
configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the
stable releases can be found in Squid's patch archives. (CVE-2023-50269)
- Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6
is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a
trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid
older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and
including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by
Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in
Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access
control: `http_access deny manager`. (CVE-2024-23638)
- Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable
to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This
problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP
Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the
stable releases can be found in Squid's patch archives. There is no workaround for this issue.
(CVE-2024-25111)
- Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse
of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header
parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending
oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the
request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version
6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in
cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time
prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5.
There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2
(CVE-2024-25617)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/squid");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-46724");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-46728");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-46846");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-46847");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-46848");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-49285");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-49286");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-50269");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-23638");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-25111");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-25617");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bookworm/squid");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/squid");
script_set_attribute(attribute:"solution", value:
"Upgrade the squid packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-46846");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/25");
script_set_attribute(attribute:"patch_publication_date", value:"2024/03/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:squid");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:squid-cgi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:squid-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:squid-openssl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:squid-purge");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:squidclient");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+|^(12)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0 / 12.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '11.0', 'prefix': 'squid', 'reference': '4.13-10+deb11u3'},
{'release': '11.0', 'prefix': 'squid-cgi', 'reference': '4.13-10+deb11u3'},
{'release': '11.0', 'prefix': 'squid-common', 'reference': '4.13-10+deb11u3'},
{'release': '11.0', 'prefix': 'squid-openssl', 'reference': '4.13-10+deb11u3'},
{'release': '11.0', 'prefix': 'squid-purge', 'reference': '4.13-10+deb11u3'},
{'release': '11.0', 'prefix': 'squidclient', 'reference': '4.13-10+deb11u3'},
{'release': '12.0', 'prefix': 'squid', 'reference': '5.7-2+deb12u1'},
{'release': '12.0', 'prefix': 'squid-cgi', 'reference': '5.7-2+deb12u1'},
{'release': '12.0', 'prefix': 'squid-common', 'reference': '5.7-2+deb12u1'},
{'release': '12.0', 'prefix': 'squid-openssl', 'reference': '5.7-2+deb12u1'},
{'release': '12.0', 'prefix': 'squid-purge', 'reference': '5.7-2+deb12u1'},
{'release': '12.0', 'prefix': 'squidclient', 'reference': '5.7-2+deb12u1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'squid / squid-cgi / squid-common / squid-openssl / squid-purge / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | squid-cgi | p-cpe:/a:debian:debian_linux:squid-cgi |
debian | debian_linux | 11.0 | cpe:/o:debian:debian_linux:11.0 |
debian | debian_linux | squid | p-cpe:/a:debian:debian_linux:squid |
debian | debian_linux | squid-purge | p-cpe:/a:debian:debian_linux:squid-purge |
debian | debian_linux | squid-common | p-cpe:/a:debian:debian_linux:squid-common |
debian | debian_linux | squid-openssl | p-cpe:/a:debian:debian_linux:squid-openssl |
debian | debian_linux | squidclient | p-cpe:/a:debian:debian_linux:squidclient |
debian | debian_linux | 12.0 | cpe:/o:debian:debian_linux:12.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46724
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46728
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46846
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46847
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46848
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49285
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49286
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50269
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23638
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25111
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25617
packages.debian.org/source/bookworm/squid
packages.debian.org/source/bullseye/squid
security-tracker.debian.org/tracker/CVE-2023-46724
security-tracker.debian.org/tracker/CVE-2023-46728
security-tracker.debian.org/tracker/CVE-2023-46846
security-tracker.debian.org/tracker/CVE-2023-46847
security-tracker.debian.org/tracker/CVE-2023-46848
security-tracker.debian.org/tracker/CVE-2023-49285
security-tracker.debian.org/tracker/CVE-2023-49286
security-tracker.debian.org/tracker/CVE-2023-50269
security-tracker.debian.org/tracker/CVE-2024-23638
security-tracker.debian.org/tracker/CVE-2024-25111
security-tracker.debian.org/tracker/CVE-2024-25617
security-tracker.debian.org/tracker/source-package/squid
9.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
8.1 High
AI Score
Confidence
High
0.03 Low
EPSS
Percentile
91.0%