Now-patched flaw allowed attacker to poison downstream caches

Squid proxy addresses web cache poisoning vulnerability with latest release

A new version of the open source Squid caching proxy has been released, complete with mitigations against a security flaw that could allow an attacker to embark on web cache poisoning campaigns.

“Due to incorrect data validation, Squid is vulnerable to HTTP request splitting attacks against HTTP and HTTPS traffic,” the project maintainers warned in a recent advisory.

The vulnerability was discovered by an occasional security researcher who goes by the online handle Regilero.

He found that Squid was using a string search instead of parsing the Transfer-Encoding header to find chunked encoding.

RECOMMENDED Black Hat 2020: Web cache poisoning offers fresh ways to smash through the web stack

“This allows an attacker to hide a second request inside Transfer-Encoding,” the CVE advisory explains.

“It is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches.”

The vulnerability was given a high CVSS rating of 9.3, as it allows any client – including browser scripts – to bypass local security mechanisms and poison the browser cache and any downstream caches with content from an arbitrary source.

Three’s a charm

The web cache poisoning issue has been fixed in the latest version of Squid (4.13), along with the latest beta build (5.0.4).

Regilero said he is working on a technical write-up of his discovery, which is the third Squid security bug he has disclosed over recent months.

“The first two issues were already fixed before the latest release,” the researcher told The Daily Swig this week.

“It was a very classical response splitting issue with spaces on headers, and I think this latest release contains some fixes about some other space variations that [HTTP request smuggling pioneer] Amit Klein discovered.

READ MORE Squid patches security flaws in HTTP digest authentication

“And the second one was a server-side request forgery on host header manipulations – something quite close [to] James Kettle’s [research] on absolute URI host experiences from a few years ago.”

Discussing the web security research community’s ongoing enthusiasm for hacking techniques that fall under the HTTP request smuggling family, Regilero said: “Request splitting issues have mainly two big consequences: HTTP desync (chaos) and cache poisoning.

“The second issue (Host header manipulation) impact is more a problem of security filter bypass (backend access bypass).

“I think also the recent boom in ‘HTTP desync’ has increased the number of security reports and that subject is now closely studied in HTTP projects.”

YOU MIGHT ALSO LIKE Make it rain: Google Cloud API bug leaks private project information