CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Dozens of Squid Proxy Vulnerabilities Remain Unpatched 2 Years After Disclosure

Dozens of Squid caching proxy vulnerabilities remain unpatched two years after a researcher reported them to developers. The post Dozens of Squid Proxy Vulnerabilities Remain Unpatched 2 Years After Disclosure appeared first on SecurityWeek.

Supply chain attack

Dozens of vulnerabilities affecting the Squid caching and forwarding web proxy remain unpatched two years after a researcher responsibly disclosed them to developers.

Squid is a widely used open source proxy. According to the official site, “Many of you are using Squid without even knowing it! Some companies have embedded Squid in their home or office firewall devices, others use Squid in large-scale web proxy installations to speed up broadband and dialup internet access. Squid is being increasingly used in content delivery architectures to deliver static and streaming video/audio to internet users worldwide.”

The Squid security holes were discovered in 2021 by researcher Joshua Rogers, who this week disclosed the technical details of his findings. Rogers identified 55 vulnerabilities by targeting various components with fuzzing, manual code review and static analysis. 

According to the researcher, only a handful of flaws have been assigned CVE identifiers and 35 of them remain unpatched. 

Many of the vulnerabilities can lead to a crash, but some can also be exploited for arbitrary code execution.

“The Squid Team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues. Hammering them with demands to fix the issues won’t get far,” Rogers said.

The researcher pointed out that there are more than 2.5 million Squid instances exposed on the internet.

“With any system or project, it is important to regularly review solutions used in your stack to determine whether they are still appropriate,” the researcher said. “If you are running Squid in an environment which may suffer from any of these issues, then it is up to you to reassess whether Squid is the right solution for your system.”

SecurityWeek has reached out to Squid developers for comment and will update this article if they respond. 

Related: Top 10 Security, Operational Risks From Open Source Code

Related: SBOMs – Software Supply Chain Security’s Future or Fantasy?

Related: GitLab Security Update Patches Critical Vulnerability

Latest News

CYBERNEWSMEDIAPublisher