Vigil@nce: Squid, denial of service via HTCP
February 2010 by Vigil@nce
An attacker can send a malicious HTCP query to Squid, in order to
stop it.
– Severity: 2/4
– Consequences: denial of service of service
– Provenance: intranet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 12/02/2010
IMPACTED PRODUCTS
– Squid cache
DESCRIPTION OF THE VULNERABILITY
The HTCP (Hypertext Caching Protocol) protocol is used between
cache servers. When the htcp_port directive is used in the
configuration file of Squid, HTCP is enabled (this is not the
default case).
When HTCP is enabled, an attacker can connect to the port 4827,
and send an invalid HTCP query. A NULL pointer is then
dereferenced in the htcpAccessCheck() function of the src/htcp.c
file.
An attacker can therefore send a malicious HTCP query to Squid, in
order to stop it.
CHARACTERISTICS
– Identifiers: 2858, BID-38212, CVE-2010-0639, SQUID-2010:2,
VIGILANCE-VUL-9449
– Url: http://vigilance.fr/vulnerability/Squid-denial-of-service-via-HTCP-9449