Squid Heap Use-After-Free Vulnerability Leading to Denial-of-Service via ICP Traffic

A denial-of-service vulnerability has been identified in Squid versions prior to 7.5, caused by a heap use-after-free bug when processing ICP traffic. This issue allows remote attackers to disrupt the Squid service reliably and repeatedly. The vulnerability affects Squid deployments that have ICP support enabled, specifically those configured with a non-zero 'icp_port'. Notably, this problem cannot be mitigated by denying ICP queries through 'icp_access' rules.

Impact

Exploitation of this vulnerability causes a significant denial-of-service condition, disrupting the availability of the Squid service by causing it to become unresponsive or fail to handle requests properly.

Remediation

Users can upgrade to Squid version 7.5 to address this vulnerability. For those using prepackaged versions of Squid, refer to the package vendor for availability of the updated version. Instructions for disabling ICP support can also be found in the Squid Proxy Cache Security Update Advisory.