CVE-2011-3596
📋 TL;DR
CVE-2011-3596 is a denial-of-service vulnerability in Polipo caching web proxy where specially crafted HTTP POST or PUT requests can cause the service to crash. This affects all Polipo installations running versions before 1.0.4.1. The vulnerability allows remote attackers to disrupt proxy service availability.
💻 Affected Systems
- Polipo
📦 What is this software?
Polipo by Polipo Project
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of Polipo proxy, affecting all users relying on the proxy for web access or caching services.
Likely Case
Intermittent service outages requiring manual restart of Polipo service, disrupting web access for users.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and service restoration.
🎯 Exploit Status
Simple HTTP request crafting required, no authentication needed. Public exploit details available in bug reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.4.1 and later
Vendor Advisory: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644289
Restart Required: Yes
Instructions:
1. Stop Polipo service. 2. Update Polipo to version 1.0.4.1 or later using your package manager. 3. Restart Polipo service.
🔧 Temporary Workarounds
Network Filtering
linuxBlock or filter HTTP POST/PUT requests to Polipo using firewall rules or web application firewall.
iptables -A INPUT -p tcp --dport 8123 -m string --string "POST" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 8123 -m string --string "PUT" --algo bm -j DROP
Service Monitoring and Auto-restart
linuxImplement monitoring and automatic restart of Polipo service if it crashes.
systemctl enable polipo
systemctl start polipo
Add to cron: */5 * * * * systemctl is-active --quiet polipo || systemctl restart polipo
🧯 If You Can't Patch
- Deploy Polipo behind a reverse proxy or load balancer that can filter malicious requests.
- Implement rate limiting on HTTP POST/PUT requests to reduce attack surface.
🔍 How to Verify
Check if Vulnerable:
Check Polipo version: polipo -v | grep version. If version is earlier than 1.0.4.1, system is vulnerable.Check Version:
polipo -v | grep versionVerify Fix Applied:
After update, verify version is 1.0.4.1 or later: polipo -v | grep version. Test with normal HTTP traffic.📡 Detection & Monitoring
Log Indicators:
- Polipo service crashes or restarts in system logs
- Multiple HTTP POST/PUT requests from single source in Polipo logs
- Error messages related to request handling in Polipo logs
Network Indicators:
- Unusual volume of HTTP POST/PUT requests to Polipo port (default 8123)
- Requests with malformed headers or unusual content length
SIEM Query:
source="polipo.log" AND ("POST" OR "PUT") AND ("error" OR "crash" OR "restart")🔗 References
- https://access.redhat.com/security/cve/cve-2011-3596
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644289
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3596
- https://security-tracker.debian.org/tracker/CVE-2011-3596
- https://access.redhat.com/security/cve/cve-2011-3596
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644289
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3596
- https://security-tracker.debian.org/tracker/CVE-2011-3596
