SQUID-2023:4 Denial of Service in SSL Certificate validation
Description
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using --with-openssl are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
23- osv-coords21 versionspkg:rpm/almalinux/libecappkg:rpm/almalinux/libecap-develpkg:rpm/almalinux/squidpkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/squid&distro=openSUSE%20Tumbleweedpkg:rpm/suse/squid&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3
< 1.0.1-2.module_el8.6.0+2741+01592ae8+ 20 more
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 7:4.15-7.module_el8.9.0+3708+6acaac63.5
- (no CPE)range: < 5.7-150400.3.12.1
- (no CPE)range: < 5.7-150400.3.12.1
- (no CPE)range: < 6.4-1.1
- (no CPE)range: < 4.17-150000.5.38.1
- (no CPE)range: < 4.17-150000.5.38.1
- (no CPE)range: < 4.17-150000.5.38.1
- (no CPE)range: < 4.17-150000.5.38.1
- (no CPE)range: < 4.17-150000.5.38.1
- (no CPE)range: < 5.7-150400.3.12.1
- (no CPE)range: < 5.7-150400.3.12.1
- (no CPE)range: < 4.17-4.30.1
- (no CPE)range: < 4.17-150000.5.38.1
- (no CPE)range: < 4.17-150000.5.38.1
- (no CPE)range: < 4.17-150000.5.38.1
- (no CPE)range: < 4.17-4.30.1
- (no CPE)range: < 4.17-150000.5.38.1
- (no CPE)range: < 4.17-150000.5.38.1
- (no CPE)range: < 4.17-150000.5.38.1
- Range: >= 3.3.0.1, < 6.4
Patches
Vulnerability mechanics
Root cause
"Improper validation of the Common Name (CN) in SSL certificates allows for a denial of service."
Attack vector
A remote server can initiate a TLS handshake with a specially crafted SSL certificate chain against a vulnerable Squid proxy. This attack is limited to HTTPS and SSL-Bump configurations. The crafted certificate causes an improper validation of the certificate's Common Name (CN), leading to a denial of service. [ref_id=1]
Affected code
The vulnerability resides in the `matchDomainName` function within the `src/anyp/Uri.cc` file. The patch specifically adds checks for an empty domain string (`dl == 0`) to prevent improper handling during certificate validation. [ref_id=1]
What the fix does
The patch modifies the `matchDomainName` function to correctly handle cases where the domain string is empty. Previously, an empty domain string could lead to incorrect comparisons and potential buffer under-reads when validating certificate Common Names. The fix ensures that such cases are handled properly, preventing the denial of service vulnerability. [ref_id=1]
Preconditions
- configSquid must be compiled with `--with-ssl`.
- configThe Squid proxy must be configured to handle HTTPS or SSL-Bump traffic.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.squid-cache.org/Versions/v5/SQUID-2023_4.patchmitrex_refsource_MISC
- www.squid-cache.org/Versions/v6/SQUID-2023_4.patchmitrex_refsource_MISC
- github.com/squid-cache/squid/commit/b70f864940225dfe69f9f653f948e787f99c3810mitrex_refsource_MISC
- github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3mitrex_refsource_CONFIRM
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/mitre
- security.netapp.com/advisory/ntap-20231208-0001/mitre
News mentions
0No linked articles in our index yet.