In 2021, I performed a security audit of The Squid Caching Proxy. Squid is by far the most well known open-source forwarding HTTP proxy, and is used in many contexts, like corporations that want to filter or cache content, companies that claim to provide a “VPN”, hobbyists, and even a few website use Squid as a reverse proxy. There are currently over 2.5 million instances available on the internet.
Using various techniques such as fuzzing, manual code review and static analysis, I discovered 55 security vulnerabilities (as well as 26 non-security bugs). Along the way, I also added Leak Sanitizer (LSAN) support to AFL++, and had some fun with some new techniques like setting up parallel fuzzing using network files systems.
The majority of these vulnerabilities have not been fixed. All vulnerabilities were discovered in squid-5.0.5. Tests were done in nearly every component possible: forward proxying, reverse proxying, all protocols supports (http, https, https intercept, urn, whois, gopher, ftp), responses, requests, “helpers”, DNS, ICAP, ESI, and caching. Every conceivable possible user and build configuration was used.
Taking this systematic and exhaustive approach is generally how I approach any audit. If you have any interesting projects like this one, I’m always available for rent.
Although I would normally discuss the vulnerabilities on this blog, there are simply too many to go over in one post. Luckily back in 2021, I outlined the issues and PoCs for most of the vulnerabilities. The vulnerabilities, their detailed explanations, and PoCs can be found on my GitHub.
The Squid Team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues. Hammering them with demands to fix the issues won’t get far. If you’re using Squid, feel free to submit patches for any of the unfixed issues to the team: I sent a few in the past where I could.
With any system or project, it is important to reguarly review solutions used in your stack to determine whether they are still appropriate. If you are running Squid in an environment which may suffer from any of these issues, then it is up to you to reassess whether Squid is the right solution for your system.
The below issues (and some information such as CVEs) can be found on GitHub. Note that there are 45 pages of vulnerabilities, but some pages reference multiple pathways to the same vulnerability (hence the total of 55).
In addition to the above vulnerabilities, the following bugs were discovered which did not indicate direct security impact:
- Uninitialised Memory Read in hdrCacheInit
- Excessively Loud Chunked Parsing Error
- Buffer Overflow During errorInitialize() using SSL
- Assertion in ipcCreate Due to dup() Failure.
- Invalid Free in helperStatefulHandleRead()
- Uninitialised Memory Read in UFSSwapDir()
- Excessively Loud Chunked Reply Error Reporting
- Assertion Due to url_rewrite_children Option
- Clang-12.0 Compiler Errors
- 18x Undefined Behaviour in Squid / Other Reports
- Buffer Overflow Due to Undefined Behavior
- Warning Header Breaks RFC 7230
- Logging Level-2 Broken