Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







Open-Source Squid Proxy with 35 Unfixed Flaws

Executive Summary

35 vulnerabilities in the Squid caching proxy, which is an open-source caching and forwarding web proxy widely used for content delivery, have remained unfixed for over two years.

Security researcher Joshua Rogers discovered 55 flaws during a security audit in February 2021, and to date, only 20 of these vulnerabilities have been addressed.

Joshua Rogers pointed out that there are more than 2.5 million Squid instances exposed on the internet.

The issue of ownership and responsibility for fixing vulnerabilities in open-source software, like Squid, is a significant concern. As highlighted in this case, the Squid Team, composed mainly of volunteers, faces resource limitations that hinder their ability to promptly address these vulnerabilities. This raises broader questions about the sustainable maintenance and support of open-source projects.

About Squid Vulnerabilities

Squid vulnerabilities are a growing concern due to their potential impact and the large number of instances exposed on the internet.

Rogers uncovered these vulnerabilities during a security audit of Squid’s C++ source code, finding a total of 55 flaws. While some progress has been made in addressing these issues, 35 vulnerabilities remain unpatched, which is a significant security risk. The majority of the vulnerabilities have not even yet been assigned CVEs.

Rogers has decided to publicly release the details of these vulnerabilities after waiting for over two and a half years for fixes. The publication of vulnerability details has raised concerns about the potential for malicious actors to exploit these vulnerabilities.

Key Concerns and Recommendations

Key concerns related to unfixed Squid vulnerabilities:

  1. Long-standing Unpatched Vulnerabilities: The Squid caching proxy has 35 vulnerabilities that have remained unaddressed for over two years, posing a significant security risk. These unpatched vulnerabilities can potentially lead to security breaches, data exposure, and service disruption.
  2. Limited CVE Assignments: Many of the identified vulnerabilities lack assigned Common Vulnerabilities and Exposures (CVE) identifiers, making it challenging to track and manage them effectively. This lack of CVEs hinders the ability to communicate about these vulnerabilities and monitor their remediation progress.
  3. Potential Exploitation: The release of detailed information about these vulnerabilities raises concerns about potential exploitation by malicious actors. Without proper patches or workarounds, the unmitigated vulnerabilities in Squid could be targeted by attackers.
  4. Resource Constraints in Open Source Development: The Squid Team, comprised mainly of volunteers, faces resource limitations that hinder their ability to promptly address these vulnerabilities. This highlights the broader issue of sustainable maintenance and support for open-source projects.

Users of Squid should assess whether it is still a suitable solution for their systems, especially if they may be vulnerable to these unpatched vulnerabilities. Regularly reviewing and reassessing the suitability of software used in one’s stack is essential to ensure adequate security measures.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), and U.S. Department of the Treasury a have recently issued a fact sheet to assist with better management of risk from open source software (OSS) use in operational technology products and increase resilience using available resources. It also highlights the need for financial and other forms of support to enhance the security and stability of open-source projects like Squid.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.