CVE-2020-11945 – CVE-2020-11945 is a critical integer overflow v... (How to Fix)

Q: What is the severity of CVE-2020-11945?

CVE-2020-11945 has a CVSS score of 9.8 (CRITICAL). CVE-2020-11945 is a critical integer overflow vulnerability in Squid proxy server's Digest Authentication mechanism. A remote attacker can replay sniffed authentication nonces to bypass access controls and potentially execute arbitrary code. This affects all Squid installations using Digest Authentication before version 5.0.2.

📋 TL;DR

CVE-2020-11945 is a critical integer overflow vulnerability in Squid proxy server's Digest Authentication mechanism. A remote attacker can replay sniffed authentication nonces to bypass access controls and potentially execute arbitrary code. This affects all Squid installations using Digest Authentication before version 5.0.2.

💻 Affected Systems

Products:

Squid

Versions: All versions before 5.0.2

Operating Systems: All operating systems running vulnerable Squid versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Digest Authentication is enabled. Basic and NTLM authentication are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Authentication bypass allowing unauthorized access to protected resources and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication monitoring in place.

🌐 Internet-Facing: HIGH - Squid is often deployed as an internet-facing proxy server, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal Squid deployments are still vulnerable to internal attackers or compromised systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires ability to sniff network traffic containing Digest Authentication nonces. The vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.2 or later

Vendor Advisory: http://www.squid-cache.org/Advisories/SQUID-2020_2.txt

Restart Required: Yes

Instructions:

1. Backup current Squid configuration. 2. Upgrade Squid to version 5.0.2 or later using your package manager. 3. Restart Squid service. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable Digest Authentication

all

Temporarily disable Digest Authentication until patching can be completed

Edit squid.conf and remove or comment out 'auth_param digest' lines
Run: squid -k reconfigure

Network Segmentation

all

Restrict access to Squid proxy to trusted networks only

Configure firewall rules to limit Squid access
Use ACLs in squid.conf to restrict client IPs

🧯 If You Can't Patch

Implement strict network monitoring for authentication bypass attempts
Deploy Squid behind a WAF with authentication protection rules

🔍 How to Verify

Check if Vulnerable:

Check Squid version and Digest Authentication configuration: squid -v | grep Version && grep -i 'auth_param digest' /etc/squid/squid.conf

Check Version:

squid -v | grep Version

Verify Fix Applied:

Verify Squid version is 5.0.2 or later: squid -v | grep 'Version 5\.0\.[2-9]\|Version [5-9]\.[1-9]'

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts from same source
Successful authentication with replayed nonces
Unexpected access to restricted resources

Network Indicators:

Unusual Digest Authentication traffic patterns
Repeated authentication requests with same nonce

SIEM Query:

source="squid" AND ("authentication failure" OR "access denied") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2020-11945

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: April 23, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html Mailing List,Third Party Advisory
http://master.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2020/04/23/2 Mailing List,Third Party Advisory
http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch Patch,Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1170313 Issue Tracking,Third Party Advisory
https://github.com/squid-cache/squid/commit/eeebf0f37a72a2de08348e85ae34b02c34e9a811 Patch,Third Party Advisory
https://github.com/squid-cache/squid/pull/585 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FWQRYZJPHAZBLXJ56FPCHJN5X2FP3VA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4MWXEZAJSOGRJSS2JCJK4WBSND4IV46/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RV2VZWFJNO3B56IVN56HHKJASG5DYUIX/
https://security.gentoo.org/glsa/202005-05 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210304-0004/ Third Party Advisory
https://usn.ubuntu.com/4356-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4682 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html Mailing List,Third Party Advisory
http://master.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch Vendor Advisory
http://www.openwall.com/lists/oss-security/2020/04/23/2 Mailing List,Third Party Advisory
http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch Patch,Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1170313 Issue Tracking,Third Party Advisory
https://github.com/squid-cache/squid/commit/eeebf0f37a72a2de08348e85ae34b02c34e9a811 Patch,Third Party Advisory
https://github.com/squid-cache/squid/pull/585 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FWQRYZJPHAZBLXJ56FPCHJN5X2FP3VA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4MWXEZAJSOGRJSS2JCJK4WBSND4IV46/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RV2VZWFJNO3B56IVN56HHKJASG5DYUIX/
https://security.gentoo.org/glsa/202005-05 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210304-0004/ Third Party Advisory
https://usn.ubuntu.com/4356-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4682 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-11945, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Squid by Squid Cache

Squid by Squid Cache

Squid by Squid Cache

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Digest Authentication

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities