Bug 1939925 (CVE-2020-25097) - CVE-2020-25097 squid: improper input validation may allow a trusted client to perform HTTP request smuggling
Summary: CVE-2020-25097 squid: improper input validation may allow a trusted client to...
Alias: CVE-2020-25097
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1939927 Red Hat1943498 Red Hat1944256 Red Hat1944257 Red Hat1944258 Red Hat1944259 Red Hat1944260 Red Hat1944261
Blocks: Embargoed1939926
TreeView+ depends on / blocked
Reported: 2021-03-17 10:19 UTC by Marian Rehak
Modified: 2022-04-17 21:13 UTC (History)
5 users (show)

Fixed In Version: squid 4.14, squid 5.0.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in squid. Due to improper validation while parsing the request URI, squid is vulnerable to HTTP request smuggling. This issue could allow a trusted client to perform an HTTP request smuggling attack and access services otherwise forbidden by squid. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Last Closed: 2021-04-08 17:35:14 UTC

Attachments (Terms of Use)

Description Marian Rehak 2021-03-17 10:19:54 UTC
Due to improper input validation Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by Squid security controls.

Comment 1 Marian Rehak 2021-03-17 10:21:59 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1939927]

Comment 2 Mauro Matteo Cascella 2021-03-26 08:19:45 UTC
External References:


Comment 3 Mauro Matteo Cascella 2021-03-26 08:22:49 UTC
Upstream fix:

Comment 5 Mauro Matteo Cascella 2021-03-26 09:44:35 UTC

This flaw can be mitigated by setting the `uri_whitespace` directive in squid.conf to either: 

uri_whitespace deny
uri_whitespace encode

Comment 6 Mauro Matteo Cascella 2021-03-26 10:12:44 UTC
The 'uri_whitespace' directive is responsible for handling requests that have whitespace characters in the URI: http://www.squid-cache.org/Doc/config/uri_whitespace/. From the above advisory, the only options that are *not* vulnerable are 'deny' and 'encode'. Note that the default value (strip) is affected, and the absence of uri_whitespace is affected too.

Comment 7 Mauro Matteo Cascella 2021-03-30 08:51:10 UTC
Although not explicitly stated in the GitHub security advisory, squid v3.5 is not supported upstream [1] and hence not tested for this vulnerability. However, the same vulnerable code can be found in src/url.cc in the way the urlParse() method parses an HTTP request URL [2]. Note that Red Hat Enterprise Linux 7 is potentially affected by this flaw as it ships Squid version 3.5.20 with the same vulnerable pattern in src/url.cc.

[1] http://www.squid-cache.org/Versions
[2] https://github.com/squid-cache/squid/blob/v3.5/src/url.cc#L295

Comment 8 Mauro Matteo Cascella 2021-03-30 10:11:44 UTC
In an HTTP request smuggling attack a front-end proxy like Squid receives HTTP requests from one or more users and forwards them to a back-end server. For performance reasons, these requests are typically sent over the same network connection. The front-end and back-end systems need to agree about the boundaries between requests, to avoid possible misinterpretation that may lead, for example, part of one request to be interpreted by the back-end server as the start of the next request.

In this case specifically, an attacker may be able to break the synchronization by sending a specially crafted HTTP request containing whitespace characters in the request URI within the HTTP request line. This could interfere with the way the Squid proxy and the back-end application will process that request. Also note that this flaw does not appear to be tied to a specific proxy mode (forward vs reverse).

Comment 9 Mauro Matteo Cascella 2021-03-30 11:01:45 UTC

This flaw is not tied to a specific proxy type (e.g., forward or reverse) and has been rated as having a security impact of Important. This flaw affects the versions of Squid as shipped with Red Hat Enterprise Linux 7 and 8, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 6 is now in Extended Life Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 10 Mauro Matteo Cascella 2021-03-30 13:41:47 UTC
Upstream advisory (comment 2) states that this issue allows a trusted client to perform an HTTP Request Smuggling attack. In Squid context, "trusted" refers to a client that can normally be expected to use the proxy, meaning that it adheres to the rules specified in the 'http_access' directive: http://www.squid-cache.org/Doc/config/http_access.

This definition does not necessarily imply that clients are to be considered trusted always and by default. From a security perspective, it really comes down to how those rules are set up in a context-specific way. Under some circumstances (e.g., Squid used as a reverse proxy) the proxy may be configured in such a way to accept requests from any clients, thus increasing the impact of this vulnerability.

Comment 12 errata-xmlrpc 2021-04-08 13:31:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:1135 https://access.redhat.com/errata/RHSA-2021:1135

Comment 13 Product Security DevOps Team 2021-04-08 17:35:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 15 errata-xmlrpc 2021-05-18 18:51:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1979 https://access.redhat.com/errata/RHSA-2021:1979

Comment 16 errata-xmlrpc 2021-05-19 10:01:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support
  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2025 https://access.redhat.com/errata/RHSA-2021:2025

Note You need to log in before you can comment on or make changes to this bug.