CVE-2020-11945 Overview
An integer overflow vulnerability was discovered in Squid proxy cache before version 5.0.2 affecting the Digest Authentication nonce reference counter. This critical flaw allows remote attackers to replay sniffed Digest Authentication nonces to gain unauthorized access to protected resources. The vulnerability stems from the use of a short integer for the nonce reference counter, which can overflow when manipulated by an attacker. In severe cases where pooled token credentials are freed rather than replayed as valid credentials, this vulnerability can lead to remote code execution.
Critical Impact
Remote attackers can bypass Digest Authentication to access forbidden resources, with potential for remote code execution through memory corruption when credential tokens are improperly freed.
Affected Products
- Squid-cache Squid (versions before 5.0.2)
- Debian Debian Linux (9.0, 10.0)
- openSUSE Leap (15.1)
- Fedora (30, 31, 32)
- Canonical Ubuntu Linux (16.04 LTS, 18.04 LTS, 19.10, 20.04 LTS)
Discovery Timeline
- 2020-04-23 - CVE-2020-11945 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-11945
Vulnerability Analysis
This vulnerability exploits a fundamental weakness in Squid's implementation of Digest Authentication nonce handling. The nonce reference counter uses a short integer data type, which has a limited range and can be overflowed through repeated authentication attempts. When the counter wraps around due to integer overflow, the authentication state becomes corrupted, enabling unauthorized access.
The attack is particularly dangerous because it operates at the network level, requiring no prior authentication or user interaction. An attacker who can sniff network traffic containing valid Digest Authentication exchanges can capture nonces and replay them with crafted requests designed to trigger the integer overflow. This allows bypassing authentication controls that would normally protect sensitive resources.
The potential for remote code execution elevates this from an authentication bypass to a memory corruption vulnerability. When the nonce reference counter overflows and the associated pooled token credentials are freed prematurely, subsequent access to these freed memory regions can lead to use-after-free conditions. An attacker who can control the timing and content of memory operations may leverage this to achieve arbitrary code execution within the Squid process context.
Root Cause
The root cause is CWE-190 (Integer Overflow or Wraparound) in the nonce reference counter implementation. The counter was implemented using a short integer type, which provides insufficient range to handle high-volume or maliciously crafted authentication requests. When the counter exceeds its maximum value, it wraps around to a negative value or zero, causing the authentication state machine to behave unexpectedly and potentially freeing memory that is still in use.
Attack Vector
The attack is conducted over the network without requiring any privileges or user interaction. An attacker positions themselves to capture network traffic between clients and the vulnerable Squid proxy server. By collecting valid Digest Authentication nonces from this traffic, the attacker can craft replay requests that systematically increment the nonce reference counter. Once the counter overflows, the attacker gains access to resources that should require valid authentication.
The exploitation flow involves sniffing Digest Authentication exchanges, replaying captured nonces with modified requests, triggering the integer overflow in the reference counter, and then accessing protected resources or potentially executing arbitrary code if the memory corruption conditions are met.
Detection Methods for CVE-2020-11945
Indicators of Compromise
- Unusual volume of Digest Authentication attempts from single source IPs
- Authentication log entries showing nonce reuse or replay patterns
- Squid proxy crashes or unexpected restarts indicating potential memory corruption
- Access log entries showing unauthorized access to protected resources
Detection Strategies
- Monitor Squid access logs for repeated authentication attempts using identical or sequential nonce values
- Implement network traffic analysis to detect Digest Authentication replay attempts
- Deploy intrusion detection rules to identify abnormal patterns in HTTP authentication headers
- Review Squid error logs for memory-related errors or segmentation faults
Monitoring Recommendations
- Configure alerting on Squid process crashes or abnormal terminations
- Establish baseline metrics for authentication failure rates and alert on deviations
- Monitor for unusual network traffic patterns targeting Squid proxy ports
- Implement log aggregation to correlate authentication events across multiple proxy instances
How to Mitigate CVE-2020-11945
Immediate Actions Required
- Upgrade Squid to version 5.0.2 or later immediately
- Apply the vendor-provided patch squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch for Squid 4.x installations
- Consider temporarily disabling Digest Authentication if patching cannot be performed immediately
- Review access logs for signs of exploitation prior to patching
Patch Information
The Squid development team has released patches addressing this vulnerability. The fix is available through the GitHub Squid Commit and the corresponding GitHub Pull Request #585. For Squid version 4.x, apply the Squid Patch for Version 4.
Distribution-specific security updates are available through:
- Ubuntu Security Notice USN-4356-1
- Debian Security Advisory DSA-4682
- Gentoo GLSA 202005-05
- Fedora Package Announcements
Workarounds
- Disable Digest Authentication and switch to alternative authentication methods such as Basic Authentication over HTTPS or NTLM
- Implement network segmentation to limit exposure of Squid proxy servers to trusted networks only
- Deploy a web application firewall (WAF) or reverse proxy in front of Squid to filter malicious authentication attempts
- Enable TLS encryption for all proxy communications to prevent nonce sniffing attacks
# Configuration example - Disable Digest Authentication in squid.conf
# Comment out or remove digest authentication configuration
# auth_param digest program /usr/lib/squid/digest_file_auth /etc/squid/passwd
# auth_param digest children 5
# auth_param digest realm Squid proxy-caching web server
# auth_param digest nonce_garbage_interval 5 minutes
# auth_param digest nonce_max_duration 30 minutes
# Use Basic Authentication over HTTPS instead
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
