CVE-2020-24606 – This vulnerability allows a trusted peer in a S... (How to Fix)

Q: What is the severity of CVE-2020-24606?

CVE-2020-24606 has a CVSS score of 8.6 (HIGH). This vulnerability allows a trusted peer in a Squid proxy cache hierarchy to cause a denial of service by sending a specially crafted Cache Digest response message. The malformed message triggers a livelock condition that consumes all available CPU cycles, rendering the Squid instance unresponsive. Only Squid deployments using cache_peer with the cache digests feature are affected.

📋 TL;DR

This vulnerability allows a trusted peer in a Squid proxy cache hierarchy to cause a denial of service by sending a specially crafted Cache Digest response message. The malformed message triggers a livelock condition that consumes all available CPU cycles, rendering the Squid instance unresponsive. Only Squid deployments using cache_peer with the cache digests feature are affected.

💻 Affected Systems

Products:

Squid

Versions: Squid before 4.13 and 5.x before 5.0.4

Operating Systems: All operating systems running affected Squid versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using cache_peer directive with cache digests feature enabled. Default configurations without cache digests are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage where Squid becomes unresponsive, consuming 100% CPU and disrupting all proxy services for downstream clients.

🟠

Likely Case

Service degradation or complete outage affecting proxy services, potentially disrupting web access for all users behind the proxy.

🟢

If Mitigated

Minimal impact if cache digests feature is disabled or if trusted peer relationships are properly secured and monitored.

🌐 Internet-Facing: MEDIUM - Requires a trusted peer relationship, which typically involves authentication and network access controls, but if exposed could allow DoS from compromised peers.

🏢 Internal Only: HIGH - In internal cache hierarchies, trusted peers could exploit this vulnerability to cause widespread service disruption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires being a configured trusted peer in the cache hierarchy. The vulnerability is in the cache digest handling code, making exploitation straightforward for authenticated peers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Squid 4.13 or 5.0.4

Vendor Advisory: https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg

Restart Required: Yes

Instructions:

1. Download and install Squid 4.13 or 5.0.4 from official sources. 2. Apply the patch SQUID-2020_9.patch if upgrading is not possible. 3. Restart the Squid service to apply the fix.

🔧 Temporary Workarounds

Disable Cache Digests

all

Disable the cache digests feature if not required for your deployment.

Edit squid.conf and remove or comment out 'cache_peer' lines with 'digest' option
Alternatively, remove 'digest' from existing cache_peer configurations

Restrict Trusted Peers

all

Limit cache_peer configurations to only essential, trusted systems and implement network segmentation.

Review and minimize cache_peer entries in squid.conf
Implement firewall rules to restrict access to Squid from cache peers

🧯 If You Can't Patch

Disable cache digests feature entirely in squid.conf
Implement strict network segmentation and monitoring for all cache_peer connections

🔍 How to Verify

Check if Vulnerable:

Check squid.conf for cache_peer directives containing 'digest' option and verify Squid version is below 4.13 or 5.0.4.

Check Version:

squid -v | grep Version

Verify Fix Applied:

Verify Squid version is 4.13 or higher, or 5.0.4 or higher, and confirm the service is running without CPU spikes from cache digest processing.

📡 Detection & Monitoring

Log Indicators:

High CPU usage alerts
Process livelock messages in system logs
Cache digest processing errors in Squid logs

Network Indicators:

Unusual traffic patterns from cache peers
Sustained high-volume cache digest exchanges

SIEM Query:

source="squid" AND ("cache_peer" OR "digest") AND (cpu_usage>90 OR "livelock")

📊 Metadata

CVE ID: CVE-2020-24606

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-667

Published: August 24, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html Mailing List,Third Party Advisory
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch Patch,Vendor Advisory
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/
https://security.netapp.com/advisory/ntap-20210219-0007/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0006/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0007/ Broken Link
https://usn.ubuntu.com/4477-1/ Third Party Advisory
https://usn.ubuntu.com/4551-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4751 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html Mailing List,Third Party Advisory
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch Patch,Vendor Advisory
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/
https://security.netapp.com/advisory/ntap-20210219-0007/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0006/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0007/ Broken Link
https://usn.ubuntu.com/4477-1/ Third Party Advisory
https://usn.ubuntu.com/4551-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4751 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24606, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Leap by Opensuse

Squid by Squid Cache

Squid by Squid Cache

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Cache Digests

Restrict Trusted Peers

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities