Squid SSL-DoS

November 6, 2015

Squid is a popular open-source caching and forwarding proxy. It can used in a variety of ways; one of which is a feature called 'bump'. There's a denial-of-service (DoS) vulnerability in Squid's 'bump feature that occurs due to a failure to properly validate input. A specially crafted client or server 'hello' message can trigger this unauthenticated DoS vulnerability.

Squid provides a SSL-bump feature to allow man-in-the-middle SSL connections. It happens specifically when the 'hello' message has extension length that's greater than 32767. The variable that stores this length is an unsigned short. Thus when a number larger than 32767 is provided, extension's value decreases in size. This leads to an infinite loop, high CPU utilization and eventually a denial-of-service due to exhaustion.

    Dell Sonicwall has following signature that protects our customers from this attack

  • IPS 11239 : Squid SSL-DoS