|CERT-In Vulnerability Note
Security Restriction Bypass Vulnerability in Squid Products
Original Issue Date:October 12, 2021
Severity Rating: HIGH
- Squid versions 5.0.6 to 5.1
A vulnerability has been reported in Squid, a caching and forwarding HTTP web proxy, which could be exploited by an attacker to bypass security restriction on the targeted system.
This vulnerability exists in Squid due to improper certificate validation when the TLS server certificate is signed by multiple CAs or this may also occur in cases of broken server certificate chains. An attacker could exploit this vulnerability by allowing a remote server to obtain security trust when the trust is not valid. This indication of trust may be passed along to clients thereby giving access to unsafe or hijacked services.
Successful exploitation of this vulnerability could allow an attacker to bypass security restrictions and conduct other attacks on the targeted system.
Patch to latest version Squid 5:
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003