Squid Caching Proxy Security Audit: 55 vulnerabilities and 35 0days

In February 2021, I started looking for vulnerabilities in forward-proxies, and found various issues in Squid. Some more information about what's here can be found on my blog: https://joshua.hu/squid-security-audit-35-0days-45-exploits

Explanations and reproducers for each of the vulnerabilities are documented in each of the markdown files. IDs are assigned where possible, however since the majority of these remain unfixed, there are no identifiers.

The Squid Team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues. Hammering them with demands to fix the issues won't get far.

With any system or project, it is important to reguarly review solutions used in your stack to determine whether they are still appropriate. If you are running Squid in an environment which may suffer from any of these issues, then it is up to you to reassess whether Squid is the right solution for your system.

Vulnerability	CVE	GHSA
Buffer Overflow in Digest Authentication	CVE-2023-46847	GHSA-phqj-m8gv-cq4g
Use-After-Free in TRACE Requests	CVE-2023-49288	GHSA-rj5h-46j6-q2g5
Partial Content Parsing Use-After-Free	CVE-2021-31807	GHSA-pxwq-f3qr-w2xf
X-Forwarded-For Stack Overflow	CVE-2023-50269	GHSA-wgq4-4cfg-c4x3
Chunked Encoding Stack Overflow
Use-After-Free in Cache Manager Errors	CVE-2024-23638	GHSA-j49p-553x-48rx
Cache Poisoning by Large Stored Response Headers (With Bonus XSS)	CVE-2023-5824	GHSA-543m-w2m2-g255
Memory Leak in CacheManager URI Parsing	CVE-2021-28652
RFC 2141 / 2169 (URN) Response Parsing Memory Leak	CVE-2021-28651
Memory Leak in HTTP Response Parsing
Memory Leak in ESI Error Processing
1-Byte Buffer OverRead in RFC 1123 date/time Handling	CVE-2023-49285	GHSA-8w9r-p88v-mmx9
Null Pointer Dereference in Gopher Response Handling	CVE-2023-46728	GHSA-cg5h-v6vc-w33f
One-Byte Buffer OverRead in HTTP Request Header Parsing
strlen(NULL) Crash Using Digest Authentication		GHSA-254c-93q9-cp53
Assertion in ESI Header Handling
Integer Overflow in Range Header	CVE-2021-31808	GHSA-pxwq-f3qr-w2xf
Gopher Assertion Crash
Whois Assertion Crash
Assertion in Gopher Response Handling	CVE-2021-46784
RFC 2141 / 2169 (URN) Assertion Crash
Vary: Other HTTP Response Assertion Crash	CVE-2021-28662
Assertion in Negotiate/NTLM Authentication Using Pipeline Prefetching
Assertion on IPv6 Host Requests with --disable-ipv6
Assertion Crash on Unexpected "HTTP/1.1 100 Continue" Response Header
Pipeline Prefetch Assertion With Double 'Expect:100-continue' Request Headers
Pipeline Prefetch Assertion With Invalid Headers
Assertion Crash in Deferred Requests
Assertion in Digest Authentication
FTP URI Assertion	CVE-2023-46848	GHSA-2g3c-pg7q-g59w
FTP Authentication Crash
Unsatisfiable Range Requests Assertion	CVE-2021-31806	GHSA-pxwq-f3qr-w2xf
Crash in Content-Range Response Header Logic	CVE-2021-33620	GHSA-572g-rvwr-6c7f
Assertion Crash In HTTP Response Headers Handling
Implicit Assertion in Stream Handling
Buffer UnderRead in SSL CN Parsing	CVE-2023-46724	GHSA-73m6-jm96-c6r3
Use-After-Free in ESI 'Try' (and 'Choose') Processing
Use-After-Free in ESI Expression Evaluation
Buffer Underflow in ESI		GHSA-wgvf-q977-9xjg
Assertion in Squid "Helper" Process Creator	CVE-2023-49286	GHSA-xggx-9329-3c27
Assertion Due to 0 ESI 'when' Checking		GHSA-4g88-277m-q89r
Assertion Using ESI's When Directive		GHSA-4g88-277m-q89r
Assertion in ESI Variable Assignment (String)
Assertion in ESI Variable Assignment
Null Pointer Dereference In ESI's esi:include and esi:when