Squid Proxy Cache Security Update Advisory SQUID-2022:2

Advisory ID:       | SQUID-2022:2
Date:              | September 23, 2022
Summary:           | Buffer Over Read
                   | in SSPI and SMB Authentication
Affected versions: | Squid 2.5.STABLE1 -> 2.7.STABLE9
                   | Squid 3.x -> 3.5.28
                   | Squid 4.x -> 4.17
                   | Squid 5.x -> 5.6
Fixed in version:  | Squid 5.7


Problem Description:

 Due to an incorrect integer overflow protection Squid SSPI and
 SMB authentication helpers are vulnerable to a Buffer Overflow



 This problem allows a remote client to perform a Denial of
 Service attack when Squid is configured to use NTLM or Negotiate
 authentication with one of the vulnerable helpers.

 This problem allows a remote client to extract sensitive
 information from machine memory when Squid is configured to use
 NTLM or Negotiate authentication with one of the vulnerable
 helpers. The scope of this information includes user credentials
 in decrypted forms, and also arbitrary memory areas beyond Squid
 and the helper itself.

 This attack is limited to authentication helpers built using the
 libntlmauth library shipped by Squid.

CVSS Score of 8.2

Updated Packages:

This bug is fixed by Squid version 5.7.

 In addition, patches addressing this problem for the stable
 releases can be found in our patch archives:

Squid 4:

Squid 5:

 If you are using a prepackaged version of Squid then please refer
 to the package vendor for availability information on updated


Determining if your version is vulnerable:

 Run this command to view the configured authentication helpers:

   (squid -k parse 2>&1) | grep "Processing: auth_param"

 Your Squid may be vulnerable if the result contains any of the following:

 All Squid-2.5 up to and including 4.17 have vulnerable helpers.

 All Squid-5.x up to and including 5.6 have vulnerable helpers.




 Disable use of the vulnerable authentication scheme.


 Replace the vulnerable helper with an alternative helper for the
 same authentication scheme.


 Replace the vulnerable helper binary with one built from an
 updated or patched Squid release. The remainder of Squid does not
 need updating to fix this.


Contact details for the Squid project:

 For installation / upgrade support on binary packaged versions
 of Squid: Your first point of contact should be your binary
 package vendor.

 If you install and build Squid from the original Squid sources
 then the <squid-us...@lists.squid-cache.org> mailing list is your
 primary support point. For subscription details see

 For reporting of non-security bugs in the latest STABLE release
 the squid bugzilla database should be used

 For reporting of security sensitive bugs send an email to the
 <squid-b...@lists.squid-cache.org> mailing list. It's a closed
 list (though anyone can post) and security related bug reports
 are treated in confidence until the impact has been established.



 This vulnerability was discovered by LWIC.

 Fixed by Amos Jeffries of Treehouse Networks Ltd,
 based on patch by LWIC.


Revision history:

 2019-03-17 14:24:42 UTC Initial Report
 2022-08-08 12:16:43 UTC Fix Released
 2022-09-23 05:00:00 UTC Advisory Released
squid-announce mailing list

Reply via email to