Vulnerabilities have lain undiscovered since 2001
UPDATED Squid, the open source web proxy, has patched a trio of security vulnerabilities in HTTP digest authentication, with one critical flaw potentially allowing attackers to mount man-in-the-middle attacks.
An update that fixed another, high severity memory bug served to create an additional flaw with the same impact, after security researchers found an alternative means of achieving the same goal.
French security outfit Synacktiv discovered the vulnerabilities in the Squid web proxy, which reduces bandwidth use for hundreds of ISPs and thousands of websites globally, during a security assessment.
Synacktiv researcher Clément Berthaux told The Daily Swig that the flaws he and colleague Florian Guilbert found had been “introduced along with the first commit to implement digest authentication” in 2001.
The critical, use-after-free flaw (CVE-2020-11945) leaves Squid open to credential replay and remote code execution attacks against HTTP digest authentication tokens.
In a blog post published on May 4, Berthaux and Guilbert recounted the discovery of a “pretty dangerous”, 16-bit integer being used as a nonce reference counter.
The pair speculates that performing “enough requests” to overflow the counter “before the associated UserRequest objects are garbage collected” would “trigger a use-after-free vulnerability.”
But Berthaux told The Daily Swig that the probability of exploitation “in the wild seems low” since they lack “a working exploit”, authentication was required, and that Squid “would need to be configured to use digest as its authentication scheme”.
Successful attackers, however, could “execute arbitrary code on the underlying server” and create “a particularly interesting man-in-the-middle situation”.
“Moreover,” Berthaux added, “lots of companies enable the SslBump (aka SSL/TLS interception) feature in Squid for caching or security purposes.
“In this configuration, an attacker would be able to eavesdrop and alter all the communications between the company users and the Internet, even those using HTTPS.”
This means an attacker could bypass ASLR [Address Space Layout Randomization] and isolate memory areas to target for remote code execution attacks.
When “looking at the patch” that followed, Berthaux told The Daily Swig “that we found out that it was still possible to recover the pointer value by brute-forcing it”.
Synacktiv notified the Squid project maintainers of the use-after-free flaw on November 19, while the memory leak vulnerability was first discovered by another researcher, David Fifield, and fixed in 4.9 on November 7.
The resulting brute-force vulnerability was patched in Squid 4.10.
The remaining, critical flaw was then fixed in Squid 4.11, which landed on April 19.
Pending application of the latest update, “disabling this authentication scheme would prevent any exploit attempt,” said Berthaux.
Squid release maintainer Amos Jeffries said “we very much appreciate” the work of IT security firms hired by “downstream distributors and their clients”, adding that Squid also regularly deployed “static analysis tools and CI stability systems.”
Squid users can subscribe to a mailing list dedicated to advisories and release notes published by The Squid Project.
This article was updated on May 13 with an update to technical details related to CVE-2019-18679 following feedback from Amos Jeffries, Squid project maintainer.