Bird_banner_small4
Squid httpMakeVaryMark Header Value Denial of Service
TSL ID TSL20130308-03
CVE ID(s) Not available.
Severity High
Description

A denial of service vulnerability exists in Squid proxy. The vulnerability is due to a miscalculation of memory size when handling HTTP header values. This causes an assertion to fail, and repeated failures can cause the service to terminate.

A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request. Authentication may or may not be required depending on the server's configuration. Successful exploitation will cause the Squid service to terminate.

The vendor has not yet addressed this vulnerability.

Affected Products
  • Squid Project Squid 2.7.Stable9
  • Squid Project Squid prior to 3.2.9
  • Squid Project Squid prior to 3.3.3
CVSS Score Base 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is NONE
  • Impact of this vulnerability on data integrity is NONE
  • Impact of this vulnerability on data availability is COMPLETE
Temporal 6.7 (E:POC/RL:U/RC:UR):
  • The exploitability level of this vulnerability is PROOF OF CONCEPT
  • The remediation level of this vulnerability is UNAVAILABLE
  • The report confidence level of this vulnerability is UNCORROBORATED
Identifiers
OSVDB
References http://seclists.org/fulldisclosure/2013/Mar/62
Related Threats