PT-2015-6236 · Squid+4 · Squid+5
Published
2014-04-24
·
Updated
2019-12-27
·
CVE-2015-3455
CVSS v2.0
2.6
Low
| Vector | AV:N/AC:H/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Squid versions 3.2.x through 3.2.13
Squid versions 3.3.x through 3.3.13
Squid versions 3.4.x through 3.4.12
Squid versions 3.5.x through 3.5.3
Description
The issue arises when Squid is configured with client-first SSL-bump and fails to properly validate the domain or hostname fields of X.509 certificates. This allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.
Recommendations
For Squid versions 3.2.x through 3.2.13, update to version 3.2.14 or later.
For Squid versions 3.3.x through 3.3.13, update to version 3.3.14 or later.
For Squid versions 3.4.x through 3.4.12, update to version 3.4.13 or later.
For Squid versions 3.5.x through 3.5.3, update to version 3.5.4 or later.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Centos
Red Hat
Squid
Squid Cache
Suse