Cyber Resilience

CVE-2024-23638

MediumPublic PoC

Published: 24 January 2024

Published
24 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.1215 94.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23638 is a medium-severity Expired Pointer Dereference (CWE-825) vulnerability in Squid-Cache Squid. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Squid, a widely deployed caching proxy for the Web, contains an expired pointer reference vulnerability that affects all releases prior to version 6.6. The flaw resides in Cache Manager error-response handling and permits a denial-of-service condition when error pages are generated for Client Manager reports. All Squid-5.x releases through 5.9 and all Squid-6.x releases through 6.5 are confirmed vulnerable; earlier branches before 5.0.5 have not been tested but should be treated as affected. The issue is tracked as CWE-825 and CWE-672 and carries a CVSS 3.1 score of 6.5.

A trusted client with network access can trigger the bug by issuing requests that cause the Cache Manager to produce error responses. Successful exploitation results in a high-impact denial of service that affects availability while leaving confidentiality and integrity untouched. Because the attack requires only low privileges and no user interaction, any authenticated client permitted to reach the Cache Manager interface can mount the attack.

Official patches addressing the flaw are available in the Squid-5 and Squid-6 patch archives as well as in the commits referenced by the GitHub security advisory. The project also publishes the workaround of denying Cache Manager access through Squid’s primary access-control rules with the directive “http_access deny manager.”

The associated EPSS score has remained in the 0.12–0.14 range since disclosure, indicating moderate but not sharply increasing exploitation interest.

EU & UK References

Vulnerability details

Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to…

more

perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

squid-cache
squid
5.0 — 5.9 · 6.0 — 6.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References