Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneAaron_costelloH1:789034
HistoryFeb 04, 2020 - 9:58 p.m.

Internet Bug Bounty: Buffer Overflow in ext_lm_group_acl helper

2020-02-0421:58:53
aaron_costello
hackerone.com
27

0.004 Low

EPSS

Percentile

74.6%

JSON

Summary

Due to incorrect buffer management ext_lm_group_acl is vulnerable to a denial of service attack when processing NTLM Authentication credentials. This problem is limited to installations using the
ext_lm_group_acl binary.

Affected Versions

Squid 2.x -> 2.7.STABLE9
Squid 3.x -> 3.5.28
Squid 4.x -> 4.9

Severity

Due to incorrect input validation the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections this can result in the helper process being terminated unexpectedly. Resulting in the Squid process also terminating and a denial of service for all clients using the proxy.

Supporting Material/References:

Advisory : http://www.squid-cache.org/Advisories/SQUID-2020_3.txt

Remediation

An official patch is available from the Squid archives for both Squid 3.5 and Squid 4.

Timeline

2019-11-11 : I reported the issue
2019-11-18 : I made a PR on GitHub with a fix
2019-11-22 : Fix was merged

Impact

See ‘Severity’ section of report.

Related

cve 1
nvd 1
veracode 1
amazon 2
nessus 18
ubuntucve 1
redhatcve 1
osv 1
prion 1
debiancve 1
alpinelinux 1
cvelist 1
openvas 16
cloudlinux 2
mageia 1
suse 3
ubuntu 1
freebsd 1
gentoo 1
altlinux 1
rosalinux 1
cve
cve
CVE-2020-8517
2020-02-04 20:15:14
nvd
nvd
CVE-2020-8517
2020-02-04 20:15:14
veracode
veracode
Denial Of Service (DoS)
2020-08-06 21:29:49
amazon
amazon
Important: squid
2023-05-25 17:41:00
Important: squid
2023-06-05 16:39:00
nessus
nessus
Amazon Linux 2 : squid (ALAS-2023-2062)
2023-06-05 00:00:00
Amazon Linux AMI : squid (ALAS-2023-1766)
2023-06-09 00:00:00
EulerOS 2.0 SP8 : squid (EulerOS-SA-2020-1591)
2020-05-26 00:00:00
ubuntucve
ubuntucve
CVE-2020-8517
2020-02-04 00:00:00
redhatcve
redhatcve
CVE-2020-8517
2020-04-03 02:06:32
osv
osv
CVE-2020-8517
2020-02-04 20:15:14
prion
prion
Design/Logic Flaw
2020-02-04 20:15:00
debiancve
debiancve
CVE-2020-8517
2020-02-04 20:15:14
alpinelinux
alpinelinux
CVE-2020-8517
2020-02-04 20:15:14
cvelist
cvelist
CVE-2020-8517
2020-02-04 19:54:31
openvas
openvas
Huawei EulerOS: Security Advisory for squid (EulerOS-SA-2020-1591)
2020-05-26 00:00:00
SUSE: Security Advisory (SUSE-SU-2020:0493-1)
2021-06-09 00:00:00
Squid Multiple Security Update Advisories (SQUID-2020:1, SQUID-2020:2, SQUID-2020:3)
2020-02-05 00:00:00
cloudlinux
cloudlinux
Fix of CVE: CVE-2020-8450, CVE-2020-8517, CVE-2020-8449
2021-08-12 15:42:54
Fix of CVE: CVE-2020-8517, CVE-2021-28651, CVE-2020-15049, CVE-2020-8449, CVE-2020-8450, CVE-2020-24606, CVE-2020-25097, CVE-2020-11945, CVE-2020-14058
2021-09-21 22:10:21
mageia
mageia
Updated squid packages fix security vulnerabilities
2020-02-26 13:21:01
suse
suse
Security update for squid (moderate)
2020-03-06 00:00:00
Security update for squid (moderate)
2020-05-03 00:00:00
Security update for squid (important)
2020-05-11 00:00:00
ubuntu
ubuntu
Squid vulnerabilities
2020-02-20 00:00:00
freebsd
freebsd
Squid -- multiple vulnerabilities
2020-02-10 00:00:00
gentoo
gentoo
Squid: Multiple vulnerabilities
2020-03-16 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package squid version 4.10-alt1
2020-03-16 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2021-1976
2021-07-02 18:10:45

0.004 Low

EPSS

Percentile

74.6%

JSON
Related for H1:789034
cve1nvd1veracode1amazon2nessus18ubuntucve1redhatcve1osv1prion1debiancve1alpinelinux1cvelist1openvas16cloudlinux2mageia1suse3ubuntu1freebsd1gentoo1altlinux1rosalinux1