October 13, 2023 at 06:18AM
Dozens of vulnerabilities in the Squid caching and forwarding web proxy, discovered in 2021 by researcher Joshua Rogers, remain unpatched. Only a few flaws have been addressed, while 35 vulnerabilities still exist. The Squid Team lacks resources to address the issues, and the researcher suggests reassessing the use of Squid in system environments that may be affected. There are over 2.5 million Squid instances exposed on the internet.
Meeting Takeaways:
– Several vulnerabilities affecting the Squid caching and forwarding web proxy remain unpatched, despite being disclosed to developers two years ago.
– Squid is widely used in various applications, including firewall devices, web proxy installations, and content delivery architectures.
– Researcher Joshua Rogers discovered 55 vulnerabilities in Squid through various methods, with only a few being assigned CVE identifiers and 35 remaining unpatched.
– These vulnerabilities can result in crashes and also allow for arbitrary code execution.
– The Squid Team has been helpful during the reporting process but lacks the resources to fix all the issues promptly.
– There are over 2.5 million exposed Squid instances on the internet.
– Users of Squid are advised to reassess whether it is the right solution for their system if it is prone to these vulnerabilities.
– SecurityWeek has reached out to Squid developers for comment, and updates may follow.