CVE-2023-46724
SQUID-2023:4 Denial of Service in SSL Certificate validation
En resumen
Squid es vulnerable a caídas del servicio cuando procesa certificados SSL malformados en conexiones HTTPS. Un servidor remoto puede explotar esto para inhabilitar el proxy.
Detalle técnico
Validación impropia de índices en Squid compilado con OpenSSL (versiones 3.3.0.1–5.9, 6.0–6.3) permite que atacantes remotos causen denegación de servicio enviando una cadena de certificados SSL manipulada durante el handshake TLS. El vector de ataque requiere modo HTTPS o SSL-Bump; el impacto es el bloqueo o indisponibilidad del proxy.
Resumen generado y traducido por IA a partir de la descripción oficial.
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Productos afectados
squid-cache · squid¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/squid-cache/squid/commit/b70f864940225dfe69f9f653f948e787f99c3810https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/https://security.netapp.com/advisory/ntap-20231208-0001/http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patchhttp://www.squid-cache.org/Versions/v6/SQUID-2023_4.patch