Squid Denial-of-Service Vulnerability in ICP Traffic Handling

A denial-of-service vulnerability has been identified in Squid versions prior to 7.5. This issue arises from a premature release of resources during their expected lifespan, combined with heap use-after-free bugs, leading to a reliable and repeatable denial-of-service condition when processing Internet Cache Protocol (ICP) traffic. The vulnerability affects Squid deployments that have ICP support enabled, specifically those configured with a non-zero 'icp_port'. Notably, this issue cannot be mitigated by denying ICP queries through 'icp_access' rules.

Impact

Exploitation of this vulnerability allows remote attackers to cause a denial-of-service condition on the Squid service by disrupting normal ICP traffic handling.

Reproduction

To reproduce this vulnerability, first ensure that Squid is running a version prior to 7.5 and has ICP support enabled (icp_port set to a non-zero value). Once these conditions are met, the vulnerability can be triggered by sending ICP queries to the Squid server, which will result in a denial-of-service condition.

Remediation

Users can upgrade to Squid version 7.5, where this vulnerability has been fixed. For those using prepackaged versions of Squid, refer to the package vendor for availability information on the updated version.