CVE-2020-35502 – This vulnerability in Privoxy versions before 3... (How to Fix)

Q: What is the severity of CVE-2020-35502?

CVE-2020-35502 has a CVSS score of 7.5 (HIGH). This vulnerability in Privoxy versions before 3.0.29 involves memory leaks that occur when response buffering reaches limits or during low memory conditions. The flaw can cause the Privoxy proxy service to crash, potentially disrupting network filtering and privacy protection. Systems running vulnerable Privoxy versions as a proxy service are affected.

📋 TL;DR

This vulnerability in Privoxy versions before 3.0.29 involves memory leaks that occur when response buffering reaches limits or during low memory conditions. The flaw can cause the Privoxy proxy service to crash, potentially disrupting network filtering and privacy protection. Systems running vulnerable Privoxy versions as a proxy service are affected.

💻 Affected Systems

Products:

Privoxy

Versions: All versions before 3.0.29

Operating Systems: Linux, BSD, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers during normal operation when buffering responses, not requiring special configuration.

📦 What is this software?

Privoxy by Privoxy

View all CVEs affecting Privoxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of Privoxy proxy, disrupting all filtered network traffic and potentially causing denial of service for dependent applications.

🟠

Likely Case

Intermittent service crashes requiring manual restart of Privoxy, causing temporary loss of proxy functionality.

🟢

If Mitigated

Service automatically restarts via monitoring tools, causing brief connectivity interruptions but maintaining overall availability.

🌐 Internet-Facing: MEDIUM - Privoxy often sits between clients and internet, but exploitation requires triggering specific memory conditions rather than direct attack.

🏢 Internal Only: LOW - Internal-only deployments face reduced risk as exploitation requires specific memory exhaustion conditions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires triggering specific memory exhaustion conditions rather than direct code execution. No known weaponized exploits exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.29

Vendor Advisory: https://www.privoxy.org/3.0.29/user-manual/whatsnew.html

Restart Required: Yes

Instructions:

1. Download Privoxy 3.0.29 from privoxy.org 2. Stop current Privoxy service 3. Install new version 4. Restart Privoxy service

🔧 Temporary Workarounds

Memory Limit Configuration

linux

Configure system memory limits to reduce likelihood of triggering memory exhaustion

ulimit -v 1048576
systemctl edit privoxy (add MemoryLimit=1G)

Service Monitoring and Auto-restart

linux

Configure monitoring to automatically restart Privoxy if it crashes

systemctl edit privoxy (add Restart=always)
supervisorctl restart privoxy

🧯 If You Can't Patch

Implement aggressive memory monitoring and alerting for Privoxy process
Deploy redundant proxy instances with load balancing to maintain service during crashes

🔍 How to Verify

Check if Vulnerable:

Check Privoxy version with 'privoxy --version' and compare to 3.0.29

Check Version:

privoxy --version | head -1

Verify Fix Applied:

Verify installed version is 3.0.29 or later and monitor for crash events

📡 Detection & Monitoring

Log Indicators:

Privoxy process termination logs
Out of memory errors in system logs
Service restart events

Network Indicators:

Sudden loss of proxy connectivity
TCP connection resets from proxy

SIEM Query:

source="privoxy.log" AND ("crash" OR "terminated" OR "out of memory")

📊 Metadata

CVE ID: CVE-2020-35502

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-401

Published: March 25, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1928749 Issue Tracking,Third Party Advisory
https://security.gentoo.org/glsa/202107-16 Third Party Advisory
https://www.privoxy.org/3.0.29/user-manual/whatsnew.html Release Notes,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1928749 Issue Tracking,Third Party Advisory
https://security.gentoo.org/glsa/202107-16 Third Party Advisory
https://www.privoxy.org/3.0.29/user-manual/whatsnew.html Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35502, you might also want to check these: