CVE-2020-15049
📋 TL;DR
This CVE describes an HTTP request smuggling vulnerability in Squid proxy/cache servers. Attackers can send specially crafted HTTP requests with malformed Content-Length headers to poison the cache or smuggle requests through the proxy. This affects Squid installations acting as HTTP caches or reverse proxies.
💻 Affected Systems
- Squid
📦 What is this software?
Fedora by Fedoraproject
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
Squid by Squid Cache
⚠️ Risk & Real-World Impact
Worst Case
Complete cache poisoning allowing attackers to serve malicious content to legitimate users, credential theft via request smuggling, and potential backend system compromise.
Likely Case
Cache poisoning leading to users receiving incorrect or malicious content, potential session hijacking, and data leakage.
If Mitigated
Limited impact if Squid is not exposed to untrusted clients or if strict request validation is implemented.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Squid 4.12 or 5.0.3 and later
Vendor Advisory: https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5
Restart Required: Yes
Instructions:
1. Backup current Squid configuration. 2. Upgrade to Squid 4.12 or 5.0.3+. 3. Apply patches from squid-cache.org if upgrading not possible. 4. Restart Squid service. 5. Verify fix with test requests.
🔧 Temporary Workarounds
Request validation via ACL
allBlock requests with malformed Content-Length headers using Squid ACLs
acl bad_content_length req_header Content-Length -i "^[+\-\s]"
http_access deny bad_content_length
Disable HTTP caching
allTemporarily disable HTTP caching to prevent cache poisoning
cache deny all
🧯 If You Can't Patch
- Implement network segmentation to limit Squid exposure to trusted clients only
- Deploy WAF or reverse proxy in front of Squid to filter malformed requests
🔍 How to Verify
Check if Vulnerable:
Check Squid version and compare against affected versions. Test with crafted HTTP request containing Content-Length: +100 or Content-Length: -100.Check Version:
squid -v | grep VersionVerify Fix Applied:
After patching, test with same malicious requests - they should be rejected or properly handled. Check that cache poisoning attempts fail.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with Content-Length containing +, -, or unusual whitespace characters
- Cache hits serving unexpected content
- Multiple requests from single client with varying Content-Length
Network Indicators:
- HTTP requests with malformed Content-Length headers
- Unexpected cache responses to normal requests
SIEM Query:
source="squid" AND (Content-Length="+*" OR Content-Length="-*" OR Content-Length="\s*")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html
- http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch
- http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch
- https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5
- https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/
- https://security.netapp.com/advisory/ntap-20210312-0001/
- https://usn.ubuntu.com/4551-1/
- https://www.debian.org/security/2020/dsa-4732
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html
- http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch
- http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch
- https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5
- https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/
- https://security.netapp.com/advisory/ntap-20210312-0001/
- https://usn.ubuntu.com/4551-1/
- https://www.debian.org/security/2020/dsa-4732
