CVE-2023-5824
📋 TL;DR
A vulnerability in Squid proxy server allows cached HTTP response headers to exceed configured size limits, causing worker process stalls or crashes when retrieving large headers from disk cache. This results in denial of service affecting Squid installations with caching enabled.
💻 Affected Systems
- Squid
📦 What is this software?
Squid by Squid Cache
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for Squid proxy service, disrupting all proxied traffic and potentially requiring service restart or server reboot.
Likely Case
Intermittent worker process crashes causing service degradation and connection failures for clients.
If Mitigated
Minimal impact with proper header size limits and monitoring in place.
🎯 Exploit Status
Exploitation requires ability to send HTTP requests through Squid that generate large response headers, which could be achieved through normal web browsing or automated tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories for specific patched versions: RHSA-2023:7465, RHSA-2023:7668, RHSA-2024:0072, RHSA-2024:0397, RHSA-2024:0771
Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:7465
Restart Required: Yes
Instructions:
1. Update Squid package using your distribution's package manager. 2. For RHEL/CentOS: 'yum update squid'. 3. Restart Squid service: 'systemctl restart squid'.
🔧 Temporary Workarounds
Reduce header size limits
linuxConfigure stricter maximum header size limits in Squid configuration to prevent large headers from being cached.
Edit squid.conf and set 'reply_header_max_size' to a conservative value
Disable caching for problematic content
linuxConfigure Squid to not cache responses from domains known to generate large headers.
Add ACL rules in squid.conf to 'no_cache' specific domains or patterns
🧯 If You Can't Patch
- Implement strict header size limits in squid.conf to prevent caching of oversized headers
- Monitor Squid logs for worker process crashes and implement automated restart mechanisms
🔍 How to Verify
Check if Vulnerable:
Check Squid version and compare against patched versions in Red Hat advisories: 'squid -v' or 'rpm -q squid'Check Version:
squid -v | head -1Verify Fix Applied:
Verify Squid version is updated to patched version and service is running without crashes under normal load📡 Detection & Monitoring
Log Indicators:
- Worker process crashes in Squid logs
- Error messages related to header size limits
- Increased restart frequency of Squid service
Network Indicators:
- Increased HTTP request timeouts through proxy
- Intermittent proxy service unavailability
SIEM Query:
source="squid" AND ("fatal" OR "crash" OR "terminated" OR "restarting")🔗 References
- https://access.redhat.com/errata/RHSA-2023:7465
- https://access.redhat.com/errata/RHSA-2023:7668
- https://access.redhat.com/errata/RHSA-2024:0072
- https://access.redhat.com/errata/RHSA-2024:0397
- https://access.redhat.com/errata/RHSA-2024:0771
- https://access.redhat.com/errata/RHSA-2024:0772
- https://access.redhat.com/errata/RHSA-2024:0773
- https://access.redhat.com/errata/RHSA-2024:1153
- https://access.redhat.com/security/cve/CVE-2023-5824
- https://bugzilla.redhat.com/show_bug.cgi?id=2245914
- https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255
- https://access.redhat.com/errata/RHSA-2023:7465
- https://access.redhat.com/errata/RHSA-2023:7668
- https://access.redhat.com/errata/RHSA-2024:0072
- https://access.redhat.com/errata/RHSA-2024:0397
- https://access.redhat.com/errata/RHSA-2024:0771
- https://access.redhat.com/errata/RHSA-2024:0772
- https://access.redhat.com/errata/RHSA-2024:0773
- https://access.redhat.com/errata/RHSA-2024:1153
- https://access.redhat.com/security/cve/CVE-2023-5824
- https://bugzilla.redhat.com/show_bug.cgi?id=2245914
- https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255
- https://lists.debian.org/debian-lts-announce/2025/09/msg00027.html
- https://security.netapp.com/advisory/ntap-20231130-0003/
