CVE-2019-12523 – This Squid vulnerability allows attackers to by... (How to Fix)

Q: What is the severity of CVE-2019-12523?

CVE-2019-12523 has a CVSS score of 9.1 (CRITICAL). This Squid vulnerability allows attackers to bypass access controls by making URN requests that trigger HTTP requests without proper authorization checks. Attackers can access restricted HTTP servers, including those only listening on localhost. All Squid installations before version 4.9 are affected.

📋 TL;DR

This Squid vulnerability allows attackers to bypass access controls by making URN requests that trigger HTTP requests without proper authorization checks. Attackers can access restricted HTTP servers, including those only listening on localhost. All Squid installations before version 4.9 are affected.

💻 Affected Systems

Products:

Squid

Versions: All versions before 4.9

Operating Systems: All operating systems running Squid

Default Config Vulnerable: ⚠️ Yes

Notes: Any Squid configuration using URN handling is vulnerable. The vulnerability exists in the URN request processing code.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of Squid's access controls allowing attackers to reach internal HTTP servers, potentially exposing sensitive internal services or data.

🟠

Likely Case

Unauthorized access to internal HTTP services that should be restricted, potentially leading to data exposure or service compromise.

🟢

If Mitigated

Limited impact if proper network segmentation and additional firewall rules are in place to restrict access to internal services.

🌐 Internet-Facing: HIGH - Internet-facing Squid proxies can be exploited to reach internal HTTP servers that should be inaccessible from outside.

🏢 Internal Only: MEDIUM - Internal attackers could bypass access controls to reach restricted internal HTTP servers they shouldn't have access to.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted URN requests to the Squid proxy. Public advisories include technical details that could be used to create exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Squid 4.9 and later

Vendor Advisory: http://www.squid-cache.org/Advisories/SQUID-2019_8.txt

Restart Required: Yes

Instructions:

1. Upgrade Squid to version 4.9 or later. 2. Download from squid-cache.org or use your distribution's package manager. 3. Stop Squid service. 4. Install new version. 5. Restart Squid service.

🔧 Temporary Workarounds

Disable URN handling

all

Disable URN protocol support in Squid configuration to prevent exploitation

Add 'urn deny all' to squid.conf

Restrict URN access

all

Configure ACLs to restrict who can make URN requests

Add appropriate ACL rules for URN requests in squid.conf

🧯 If You Can't Patch

Implement strict network segmentation to isolate Squid proxies from sensitive internal HTTP servers
Deploy additional firewall rules to restrict Squid's ability to connect to internal HTTP services

🔍 How to Verify

Check if Vulnerable:

Check Squid version with 'squid -v' or 'squid3 -v' and verify if it's below 4.9

Check Version:

squid -v || squid3 -v

Verify Fix Applied:

After patching, verify version is 4.9 or higher and test URN requests to ensure they now go through proper access checks

📡 Detection & Monitoring

Log Indicators:

Unusual URN request patterns
HTTP requests from Squid to internal servers that bypass normal access logs
Access denied messages for URN requests

Network Indicators:

HTTP traffic from Squid proxy to internal servers that shouldn't be accessible
Unusual URN protocol traffic patterns

SIEM Query:

source="squid_access.log" AND (uri CONTAINS "urn:" OR method="URN")

📊 Metadata

CVE ID: CVE-2019-12523

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Published: November 26, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html Broken Link
http://www.squid-cache.org/Advisories/SQUID-2019_8.txt Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1156329 Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
https://usn.ubuntu.com/4213-1/ Third Party Advisory
https://usn.ubuntu.com/4446-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4682 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html Broken Link
http://www.squid-cache.org/Advisories/SQUID-2019_8.txt Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1156329 Issue Tracking,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
https://usn.ubuntu.com/4213-1/ Third Party Advisory
https://usn.ubuntu.com/4446-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4682 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Squid by Squid Cache

Squid by Squid Cache

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable URN handling

Restrict URN access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export