PT-2014-1707 · Squid+5 · Squid+6

Matthew Daley

Published

2014-03-16

Updated

2017-01-07

CVE-2014-3609

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions Squid versions 3.x prior to 3.3.12 Squid versions 3.4.x prior to 3.4.6

Description The issue allows remote attackers to cause a denial of service, potentially leading to disruption of protected information availability. This can be achieved through a request containing specially crafted Range headers with unidentifiable byte-range values, affecting the HttpHdrRange.cc component in Squid.

Recommendations For Squid versions 3.x prior to 3.3.12, update to version 3.3.12 or later. For Squid versions 3.4.x prior to 3.4.6, update to version 3.4.6 or later. As a temporary workaround, consider restricting access to the HttpHdrRange.cc component to minimize the risk of exploitation.

Exploit

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2014-1298

ALT-PU-2014-1531

ALT-PU-2014-1824

BDU:2015-00690

BDU:2015-04283

CESA-2014_1147

CESA-2014_1148

CVE-2014-3609

DLA-216-1

DLA-45-1

DSA-3014-1

DSA-3139-1

MGASA-2014-0369

RHSA-2014:1147

RHSA-2014:1148

RHSA-2014_1147

RHSA-2014_1148

SUSE-SU-2014_1140-1

USN-2327-1

Affected Products

Alt Linux

Centos

Red Hat

Squid

Squid Cache

Suse

Ubuntu

PT-2014-1707 · Squid+5 · Squid+6

CVE-2014-3609

Weakness Enumeration

Related Identifiers

Affected Products

References · 78