Описание
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero icp_port). This problem cannot be mitigated by denying ICP queries using icp_access rules. Version 7.5 contains a patch.
A flaw was found in Squid. A remote attacker can exploit a heap Use-After-Free vulnerability when handling ICP (Internet Cache Protocol) traffic. This allows them to perform a reliable and repeatable Denial of Service (DoS) attack, making the Squid service unavailable. This attack is limited to deployments where ICP support is explicitly enabled.
Отчет
Important: A heap Use-After-Free vulnerability in Squid's ICP handling can lead to a denial of service. This flaw affects Red Hat products where the Squid proxy is configured to explicitly enable Internet Cache Protocol (ICP) support by setting a non-zero icp_port. Deployments with default configurations, where ICP is typically disabled, are not affected.
Меры по смягчению последствий
To mitigate this issue, disable ICP support in Squid by ensuring that icp_port is set to 0 in the squid.conf configuration file. This will prevent Squid from processing ICP traffic and eliminate the attack vector. After modifying the configuration, the Squid service must be restarted for the changes to take effect.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | squid | Affected | ||
| Red Hat Enterprise Linux 6 | squid | Out of support scope | ||
| Red Hat Enterprise Linux 6 | squid34 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | squid | Affected | ||
| Red Hat Enterprise Linux 8 | squid:4/squid | Affected | ||
| Red Hat Enterprise Linux 9 | squid | Fixed | RHSA-2026:6301 | 31.03.2026 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Squid is a caching proxy for the Web. Prior to version 7.5, due to heap Use-After-Free, Squid is vulnerable to Denial of Service when handling ICP traffic. This problem allows a remote attacker to perform a reliable and repeatable Denial of Service attack against the Squid service using ICP protocol. This attack is limited to Squid deployments that explicitly enable ICP support (i.e. configure non-zero `icp_port`). This problem _cannot_ be mitigated by denying ICP queries using `icp_access` rules. Version 7.5 contains a patch.
Squid vulnerable to Denial of Service in ICP Request handling
Squid is a caching proxy for the Web. Prior to version 7.5, due to hea ...
7.5 High
CVSS3