CVE-2023-46728: Squid's Gopher Gateway Exploit - Denial of Service Attack Vulnerability

Squid is a popular caching proxy for web applications that support multiple protocols such as HTTP, HTTPS, FTP, and others. However, a recent vulnerability – CVE-2023-46728 – has revealed that Squid's Gopher gateway is susceptible to a Denial of Service (DoS) attack due to a NULL pointer dereference bug. The Gopher protocol, a text-based protocol designed to facilitate easy retrieval of documents and information over the internet, is enabled by default in Squid versions prior to 6..1. Alarmingly, responses that trigger this bug can be received from any Gopher server, regardless of whether or not they have malicious intent.

A brief overview of the exploit will be provided in this article, along with code snippets, links to original references, and recommendations for mitigation.

Exploit details

To understand the vulnerability better, let's look at the NULL pointer dereference bug through a snippet of the affected code:

void
gopherStateFree(GopherStateData * gopherState, int theFwdState)
{
    if (gopherState->entry) {
        if (!EBIT_TEST(gopherState->entry->flags, ENTRY_FWD_HDR_WAIT) && theFwdState == -1) {
            debugs(10, DBG_IMPORTANT, "gopherStateFree: FWD==NULL,entry still active...\n");
        }
        storeUnlockObject(gopherState->entry);
    }
    cbdataFree(gopherState);
}

In this code, gopherStateFree() attempts to free the gopherState object without checking whether or not it's NULL in the first place. This leads to a potential NULL pointer dereference, which can be exploited by attackers to crash the service.

As a result, attackers leveraging this bug can effectively launch a DoS attack against the Squid Gopher gateway, causing the server to crash.

Original references

- Squid CVE-2023-46728 Advisory
- Mitre CVE-2023-46728 Record
- National Vulnerability Database (NVD) CVE-2023-46728 Detail

Mitigation

To address this vulnerability, Squid has removed Gopher support in Squid version 6..1. Therefore, users are strongly advised to upgrade to the updated version.

For those unable to upgrade, it is recommended to reject all Gopher URL requests to mitigate the risk of exploitation. This can be done using the following configuration in the Squid configuration file (squid.conf):

acl gopher_proto proto gopher
http_access deny gopher_proto

Conclusion

The discovery of the CVE-2023-46728 vulnerability in Squid's Gopher gateway highlights the importance of continuously updating and securing applications, especially those supporting multiple protocols. Take immediate steps to upgrade to Squid 6..1 or implement the recommended mitigation measures to protect your proxy server from potential Denial of Service attacks.

Timeline

Published on: 11/06/2023 18:15:08 UTC
Last modified on: 12/29/2023 03:15:10 UTC