CVE-2019-12527: Squid buffer overflow causes remote code execution vulnerability alert

On August 22, 2019, the Trend Micro research team released the Squid Proxy Server Buffer Overflow Vulnerability Analysis Report numbered CVE-2019-12527. Attackers can construct packets without authentication to exploit this vulnerability to create remote code. Squid is a popular open-source proxy server and caching application that supports a wide range of network protocols such as HTTP, HTTPS, and FTP.

CVE-2019-12527

Vulnerability Details

Cachemgr.cgi is Squid’s cache management interface for displaying statistics on agent processes. Squid uses the CacheManager::ParseHeaders() function to process the request information for cachemgr. If the request contains the Authorization authentication information and the type is Basic, the vulnerable function HttpHeader::getAuth() is called.

The HttpHeader::getAuth() function defines the decodedAuthToken array size to be 8192 bytes, which is used to store the base64 decoded credentials.

A remote attacker who does not require authentication can exploit this vulnerability by sending a well-designed HTTP request to the target server. Utilizing the exploit will result in the attacker gaining code execution permission, and the unsuccessful attack will cause the server process to terminate abnormally.

The vulnerability function HttpHeader::getAuth() is also called when Squid is used as an FTP proxy and the requested URI starts with FTP.

Affected version

Squid 4.0.23 -> 4.7

Solution

Squid has confirmed that it is affected and released a patch to upgrade to the latest version of  Squid 4.8

Users who are inconvenient to update can recompile Squid with –disable-auth-basic

Or prohibit access to cache management reports and agents using the FTP protocol

Acl FTP proto FTP
Http_access deny FTP
Http_access deny manager