Dozens of vulnerabilities affecting the Squid caching and forwarding web proxy remain unpatched two years after a researcher responsibly disclosed them to developers.
Squid is a widely used open source proxy. According to the official site, “Many of you are using Squid without even knowing it! Some companies have embedded Squid in their home or office firewall devices, others use Squid in large-scale web proxy installations to speed up broadband and dialup internet access. Squid is being increasingly used in content delivery architectures to deliver static and streaming video/audio to internet users worldwide.”
The Squid security holes were discovered in 2021 by researcher Joshua Rogers, who this week disclosed the technical details of his findings. Rogers identified 55 vulnerabilities by targeting various components with fuzzing, manual code review and static analysis.
According to the researcher, only a handful of flaws have been assigned CVE identifiers and 35 of them remain unpatched.
Many of the vulnerabilities can lead to a crash, but some can also be exploited for arbitrary code execution.
“The Squid Team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues. Hammering them with demands to fix the issues won’t get far,” Rogers said.
The researcher pointed out that there are more than 2.5 million Squid instances exposed on the internet.
“With any system or project, it is important to regularly review solutions used in your stack to determine whether they are still appropriate,” the researcher said. “If you are running Squid in an environment which may suffer from any of these issues, then it is up to you to reassess whether Squid is the right solution for your system.”
SecurityWeek has reached out to Squid developers for comment and will update this article if they respond.