Web Proxy Squid Can Leak Credentials
A security vulnerability in the web proxy Squid can allow the software to leak credentials. An update corrects this.
(Image: ra2 studio/Shutterstock.com)
A security vulnerability in the proxy software Squid can lead to attackers gaining access to credentials. The developers rate the risk with the highest score and provide an update that fixes the vulnerability. IT managers should install it promptly.
The error description from the Squid programmers reads: “Due to a missing masking of HTTP authentication data, Squid is vulnerable to information disclosure attacks.” The problem allows scripts to bypass browser protection measures and gain access to client credentials. A client from the network could intercept security tokens or credentials that web apps use internally, which Squid uses for load balancing. The developers also point out that it is not necessary for Squid to be configured with HTTP authentication for the vulnerability to be exploited.
Squid: Updated Version Closes Credential Leak
The developers are closing the potential data leak in version 7.2 of Squid. Additionally, the patch is also available for stable development versions. Those using Squid as a package from a distribution should look for updates with the security patch in their software management. As a temporary countermeasure, the developers state that Squid administrators can disable debug information in Squid's administrator mailto links. This is done by adding the entry email_err_data off in the squid.conf file. The service will reload the changed configuration after a restart.
Videos by heise
The call to squid -k parse 2>&1 | grep “email_err_data” should indicate whether your instance is vulnerable. If the result is email_err_data off, the Squid instance is not vulnerable. All Squid versions up to and including 7.1 with email_err_data on are vulnerable, as are all Squid versions up to and including 7.1 without a return to email_err_data, the programmers explain.
At the end of 2023, IT security researcher Joshua Rogers reported 55 security vulnerabilities in the web cache Squid, of which at least 35 were still open at the time. The programmers have closed these successively.
(dmk)
