CVE-2023-46848
📋 TL;DR
Squid proxy server is vulnerable to a denial-of-service attack where remote attackers can crash the service by sending specially crafted ftp:// URLs in HTTP requests or constructing them from FTP native input. This affects Squid installations that process HTTP requests with FTP URLs. The vulnerability allows attackers to disrupt proxy services without authentication.
💻 Affected Systems
- Squid
📦 What is this software?
Squid by Squid Cache
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of Squid proxy, disrupting all HTTP/HTTPS/FTP proxy services for dependent clients and applications.
Likely Case
Intermittent service crashes leading to degraded proxy performance and availability issues for users.
If Mitigated
Minimal impact if Squid is patched or workarounds are implemented; service remains stable with normal operations.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests with ftp:// URLs, which is straightforward for attackers with network access to Squid.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Squid 5.9.1, Squid 6.6
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2023-46848
Restart Required: Yes
Instructions:
1. Check current Squid version. 2. Update to Squid 5.9.1 or 6.6 using your package manager (e.g., 'yum update squid' on RHEL). 3. Restart Squid service (e.g., 'systemctl restart squid'). 4. Verify the update was successful.
🔧 Temporary Workarounds
Block FTP URL processing
linuxConfigure Squid ACLs to reject requests containing ftp:// URLs
acl ftp_url url_regex ^ftp://
http_access deny ftp_url
Disable FTP protocol support
linuxRemove or comment out FTP-related configuration in squid.conf
# Comment out ftp_port lines in squid.conf
# ftp_port 21
🧯 If You Can't Patch
- Implement network-level filtering to block malicious HTTP requests containing ftp:// URLs before they reach Squid.
- Deploy Squid behind a WAF or reverse proxy that can detect and block the exploit patterns.
🔍 How to Verify
Check if Vulnerable:
Check Squid version: if running Squid 5.0.4-5.9 or 6.0.0-6.5, the system is vulnerable.Check Version:
squid -v | head -1Verify Fix Applied:
After patching, verify Squid version is 5.9.1 or 6.6 or higher, and test that Squid remains stable when processing HTTP requests.📡 Detection & Monitoring
Log Indicators:
- Squid crash logs
- Error messages related to FTP URL parsing
- Increased restart frequency in system logs
Network Indicators:
- HTTP requests containing 'ftp://' patterns
- Unusual traffic spikes followed by service unavailability
SIEM Query:
source="squid" AND ("crash" OR "segmentation fault" OR "ftp://")🔗 References
- https://access.redhat.com/errata/RHSA-2023:6266
- https://access.redhat.com/errata/RHSA-2023:6268
- https://access.redhat.com/errata/RHSA-2023:6748
- https://access.redhat.com/security/cve/CVE-2023-46848
- https://bugzilla.redhat.com/show_bug.cgi?id=2245919
- https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w
- https://access.redhat.com/errata/RHSA-2023:6266
- https://access.redhat.com/errata/RHSA-2023:6268
- https://access.redhat.com/errata/RHSA-2023:6748
- https://access.redhat.com/security/cve/CVE-2023-46848
- https://bugzilla.redhat.com/show_bug.cgi?id=2245919
- https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w
- https://security.netapp.com/advisory/ntap-20231214-0005/
