CVE-2020-36420 – CVE-2020-36420 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-36420?

CVE-2020-36420 has a CVSS score of 7.5 (HIGH). CVE-2020-36420 is a denial-of-service vulnerability in Polipo, a caching web proxy, caused by a reachable assertion failure when parsing a malformed Range HTTP header. This allows attackers to crash the Polipo service, disrupting proxy functionality. It affects users running unsupported versions of Polipo with NDEBUG omitted during compilation.

📋 TL;DR

CVE-2020-36420 is a denial-of-service vulnerability in Polipo, a caching web proxy, caused by a reachable assertion failure when parsing a malformed Range HTTP header. This allows attackers to crash the Polipo service, disrupting proxy functionality. It affects users running unsupported versions of Polipo with NDEBUG omitted during compilation.

💻 Affected Systems

Products:

Polipo

Versions: Through version 1.1.1

Operating Systems: All operating systems where Polipo is installed

Default Config Vulnerable: ✅ No

Notes: Vulnerability only triggers when NDEBUG is omitted during compilation, which is not the default in standard builds. Polipo is no longer supported by the maintainer.

📦 What is this software?

Polipo by Polipo Project

View all CVEs affecting Polipo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service, rendering the Polipo proxy unavailable and disrupting network traffic for dependent clients.

🟠

Likely Case

Service crash requiring manual restart, causing temporary proxy unavailability.

🟢

If Mitigated

Minimal impact if Polipo is not internet-facing or if vulnerable versions are not in use.

🌐 Internet-Facing: MEDIUM, as attackers can send malicious requests to crash the service, but exploitation requires targeting specific vulnerable configurations.

🏢 Internal Only: LOW, as internal threats are less likely to exploit this, but insider attacks could still cause disruption.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves sending a crafted HTTP request with a malformed Range header, making it simple to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 4d42ca1b5849518762d110f34b6ce2e03d6df9ec, but no official release version exists as Polipo is unsupported.

Vendor Advisory: https://github.com/jech/polipo/commit/4d42ca1b5849518762d110f34b6ce2e03d6df9ec

Restart Required: Yes

Instructions:

1. Apply the patch from the GitHub commit manually. 2. Recompile Polipo with the patch. 3. Restart the Polipo service to apply changes.

🔧 Temporary Workarounds

Block Malformed Range Headers

all

Use a web application firewall or proxy filter to block HTTP requests with malformed Range headers.

Depends on specific WAF or proxy configuration; no universal command.

Disable Polipo or Use Alternative

linux

Stop using Polipo and switch to a supported caching proxy like Squid or Varnish.

sudo systemctl stop polipo
sudo systemctl disable polipo

🧯 If You Can't Patch

Restrict network access to Polipo to trusted internal networks only.
Monitor logs for crash events and implement automated restart scripts to minimize downtime.

🔍 How to Verify

Check if Vulnerable:

Check if Polipo version is 1.1.1 or earlier and if it was compiled without NDEBUG. Review build logs or use 'polipo -v' and inspect compilation flags.

Check Version:

polipo -v

Verify Fix Applied:

Verify the patch is applied by checking the source code for the fix from commit 4d42ca1b5849518762d110f34b6ce2e03d6df9ec, then test with a malformed Range header to ensure no crash occurs.

📡 Detection & Monitoring

Log Indicators:

Polipo service crash logs, assertion failure messages in system logs.

Network Indicators:

HTTP requests with malformed Range headers directed at Polipo ports.

SIEM Query:

Search for events like 'polipo crashed' or 'assertion failed' in service logs, combined with source IPs sending unusual HTTP requests.

📊 Metadata

CVE ID: CVE-2020-36420

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

Published: July 15, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/07/18/1 Mailing List,Third Party Advisory
https://bugs.gentoo.org/755896 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/jech/polipo/commit/4d42ca1b5849518762d110f34b6ce2e03d6df9ec Patch,Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/11/18/1 Exploit,Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/07/18/1 Mailing List,Third Party Advisory
https://bugs.gentoo.org/755896 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/jech/polipo/commit/4d42ca1b5849518762d110f34b6ce2e03d6df9ec Patch,Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/11/18/1 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36420, you might also want to check these: