Name of the Vulnerable Software and Affected Versions
Squid versions 6.3 and below
Squid versions 4.x through 4.17
Squid versions 5.x through 5.9
Description
Squid is vulnerable to a heap-based buffer overflow when processing Uniform Resource Name (URN) requests due to incorrect buffer management. This allows a remote attacker to potentially execute arbitrary code or leak up to 4KB of heap memory, which may contain sensitive information like session tokens and keys. The vulnerability occurs when processing specially crafted URN Trivial-HTTP responses. Over 53 million instances of the software have been identified, with over 27% potentially vulnerable.
Recommendations
Squid versions prior to 6.4: Update to version 6.4 or later to resolve this issue.
Squid versions 4.x through 4.17: Update to version 6.4 or later to resolve this issue.
Squid versions 5.x through 5.9: Update to version 6.4 or later to resolve this issue.
As a temporary workaround, disable URN access permissions by adding the following to the Squid configuration:
acl URN proto URN
http access deny URN
Then, restart Squid to apply the changes.