CVE-2019-12519
📋 TL;DR
CVE-2019-12519 is a stack-based buffer overflow vulnerability in Squid proxy server's ESI (Edge Side Includes) parser. When ESI is enabled and processing esi:when tags, improper bounds checking allows attackers to overflow a fixed-size stack buffer, potentially leading to remote code execution. This affects all Squid installations with ESI enabled through version 4.7.
💻 Affected Systems
- Squid
📦 What is this software?
Leap by Opensuse
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains full control of the Squid server, potentially compromising the entire system and using it as a pivot point to attack internal networks.
Likely Case
Remote code execution leading to service disruption, data exfiltration, or installation of persistent backdoors on the proxy server.
If Mitigated
If ESI is disabled or proper network segmentation exists, impact is limited to denial of service or local privilege escalation.
🎯 Exploit Status
Proof of concept code exists in public repositories. Exploitation requires ESI to be enabled and accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Squid 4.8 and later
Vendor Advisory: http://www.squid-cache.org/Advisories/SQUID-2019_4.txt
Restart Required: Yes
Instructions:
1. Upgrade Squid to version 4.8 or later. 2. For package managers: 'apt-get update && apt-get install squid' (Debian/Ubuntu) or 'yum update squid' (RHEL/CentOS). 3. Restart Squid service: 'systemctl restart squid' or 'service squid restart'.
🔧 Temporary Workarounds
Disable ESI feature
linuxDisable Edge Side Includes processing in Squid configuration
Edit squid.conf and ensure 'esi_enable off' is set
Restart Squid: systemctl restart squid
Network access control
allRestrict access to Squid ESI endpoints
Configure firewall rules to limit access to Squid ports
Use Squid ACLs to restrict ESI processing
🧯 If You Can't Patch
- Disable ESI feature immediately in squid.conf configuration
- Implement strict network segmentation and firewall rules to limit Squid exposure
🔍 How to Verify
Check if Vulnerable:
Check Squid version with 'squid -v' and verify if version is 4.7 or earlier, then check squid.conf for 'esi_enable on'Check Version:
squid -v | grep VersionVerify Fix Applied:
Verify Squid version is 4.8 or later with 'squid -v' and confirm ESI is disabled or properly configured📡 Detection & Monitoring
Log Indicators:
- Multiple ESI parsing errors
- Stack trace or segmentation fault in logs
- Unusual ESI:when tag processing
Network Indicators:
- Unusual traffic patterns to Squid ESI endpoints
- Large or malformed ESI requests
SIEM Query:
source="squid" AND ("segmentation fault" OR "stack overflow" OR "esi:when")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html
- http://www.openwall.com/lists/oss-security/2020/04/23/1
- https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12519.txt
- https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
- https://security.gentoo.org/glsa/202005-05
- https://security.netapp.com/advisory/ntap-20210205-0006/
- https://usn.ubuntu.com/4356-1/
- https://www.debian.org/security/2020/dsa-4682
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html
- http://www.openwall.com/lists/oss-security/2020/04/23/1
- https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12519.txt
- https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
- https://security.gentoo.org/glsa/202005-05
- https://security.netapp.com/advisory/ntap-20210205-0006/
- https://usn.ubuntu.com/4356-1/
- https://www.debian.org/security/2020/dsa-4682
