Squid games: 35 security holes still unpatched in proxy after 2 years, now public

35 vulnerabilities successful nan Squid caching proxy stay unfixed much than 2 years aft being recovered and disclosed to nan unfastened root project's maintainers, according to nan personification who reported them.

Squid is simply a caching and forwarding HTTP web proxy that is very wide used by ISPs and website operators. In February 2021, information interrogator Joshua Rogers performed a information audit of Squid and said he uncovered 55 flaws successful nan project's C++ root code.

Fast guardant to today, and Rogers asserts only 20 of those flaws person been fixed.

The mostly haven't moreover been assigned CVEs, and nan remaining 35 still don't person patches aliases workarounds to plug nan holes, we're told.

"After 2 and a half years of waiting, I person decided to merchandise nan issues publicly," Rogers wrote successful a post to nan Openwall information mailing list.

The Register emailed respective Squid developers listed connected nan interaction page and did not instantly person responses to our questions. We will update this communicative if and erstwhile we perceive from nan project.

In nan post, and connected his website, Rogers listed 45 exploitable information issues, noting that nan 10 remaining are nan "result of similar, but different pathways to reproduce a vulnerability." They tally nan gamut from use-after-free, representation leak, cache poisoning, assertion failure, and different flaws successful various components.

Rogers named nan flaws and provided method specifications astir nan vulnerabilities – including codification breakdowns and PoCs – connected GitHub. His website besides lists 13 further codification issues that he considers to beryllium plot assortment bugs that don't person information implications.

Rogers says he recovered each of nan flaws successful Squid-5.0.5 and performed testing successful "nearly each constituent possible: guardant proxying, reverse proxying, each protocols supports (http, https, https intercept, urn, whois, gopher, ftp), responses, requests, 'helpers,' DNS, ICAP, ESI, and caching. Every conceivable imaginable personification and build configuration was used."

Squid's astir caller type is numbered 6.3.

• curl vulnerabilities ironed retired pinch patches aft week-long tease
• Researcher bags two-for-one woody connected Linux bugs while probing GNOME component
• Europe mulls unfastened sourcing TETRA emergency services' encryption algorithms
• Trio of TorchServe flaws intends PyTorch users request an urgent upgrade

He besides acknowledged that nan Squid proxy's maintainers – for illustration astir unfastened root developers – are mostly volunteers and whitethorn not person nan support basal to quickly hole each these problems.

"The Squid Team person been adjuvant and supportive during nan process of reporting these issues," Rogers conceded. "However, they are efficaciously understaffed, and simply do not person nan resources to hole nan discovered issues. Hammering them pinch demands to hole nan issues won't get far."

That, of course, is conscionable nan extremity of a overmuch larger iceberg: who should beryllium responsible for maintaining and supporting unfastened root software?

To that point, nan US National Security Agency and friends connected Tuesday issued a paper [PDF] connected unfastened root package successful operational environments and urged vendor support – some financial and different – for unfastened root package improvement and maintenance.

But backmost to nan rumor astatine hand: pinch much than 2.5 cardinal Squid instances disposable connected nan net (according to Rogers), we'd propose reference done nan vulnerability descriptions if you are moving nan code.

Then, arsenic Rogers notes, "it is up to you to reassess whether Squid is nan correct solution for your system." ®