Several security vulnerabilities in the widely-used Squid caching and forwarding web proxy have gone unpatched for two years, despite being responsibly disclosed to developers by researcher Joshua Rogers in 2021.
Squid is a popular open-source proxy, often embedded in home and office firewall devices, and used in large-scale web proxy installations to enhance internet access. It's also increasingly used in content delivery systems for streaming video and audio.
Rogers, who identified 55 vulnerabilities through fuzzing, manual code review, and static analysis, recently disclosed the technical details of his findings. While some flaws have been assigned CVE identifiers, 35 remain unpatched.
These vulnerabilities can potentially lead to system crashes and, in some cases, arbitrary code execution. Rogers noted that the Squid Team has been supportive but understaffed, making it challenging to address all the issues.
Notably, over 2.5 million Squid instances are exposed on the internet, emphasizing the need for regular assessments of the software's suitability for specific environments.
SecurityWeek has contacted Squid developers for comment and will provide updates if they respond.
No comments:
Post a Comment