CVE-2016-4554

squid: Header Smuggling issue in HTTP Request processing

Severity Score

8.6

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue.

mime_header.cc en Squid en versiones anteriores a 3.5.18 permite a atacantes remotos eludir restricciones destinadas al mismo origen y posiblemente llevar a cabo ataques de envenenamiento de caché a través de una cabecera HTTP Host manipulada, también conocido como un problema "contrabando de peticiones".

An input validation flaw was found in Squid's mime_get_header_field() function, which is used to search for headers within HTTP requests. An attacker could send an HTTP request from the client side with specially crafted header Host header that bypasses same-origin security protections, causing Squid operating as interception or reverse-proxy to contact the wrong origin server. It could also be used for cache poisoning for client not following RFC 7230.

Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code. Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-05-06 CVE Reserved
2016-05-10 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-345: Insufficient Verification of Data Authenticity

CAPEC

References (19)

URL	Tag	Source
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html	Third Party Advisory
http://www.securitytracker.com/id/1035769	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2016_8.patch	2019-12-27
http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_8.patch	2019-12-27
http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_8.patch	2019-12-27
http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_8.patch	2019-12-27
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_8.patch	2019-12-27

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html	2019-12-27
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html	2019-12-27
http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html	2019-12-27
http://www.debian.org/security/2016/dsa-3625	2019-12-27
http://www.squid-cache.org/Advisories/SQUID-2016_8.txt	2019-12-27
http://www.ubuntu.com/usn/USN-2995-1	2019-12-27
https://access.redhat.com/errata/RHSA-2016:1138	2019-12-27
https://access.redhat.com/errata/RHSA-2016:1139	2019-12-27
https://access.redhat.com/errata/RHSA-2016:1140	2019-12-27
https://security.gentoo.org/glsa/201607-01	2019-12-27
https://access.redhat.com/security/cve/CVE-2016-4554	2016-05-31
https://bugzilla.redhat.com/show_bug.cgi?id=1334241	2016-05-31

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				6 Search vendor "Oracle" for product "Linux" and version "6"		-		Affected
Oracle Search vendor "Oracle"		Linux Search vendor "Oracle" for product "Linux"				7 Search vendor "Oracle" for product "Linux" and version "7"		-		Affected
Squid-cache Search vendor "Squid-cache"		Squid Search vendor "Squid-cache" for product "Squid"				<= 3.5.17 Search vendor "Squid-cache" for product "Squid" and version " <= 3.5.17"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				15.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected