CVE-2021-28116 Overview
CVE-2021-28116 is an out-of-bounds read vulnerability affecting Squid proxy server through version 4.14 and 5.x through 5.0.5. In certain configurations, the vulnerability exists within the WCCP (Web Cache Communication Protocol) implementation, allowing attackers to disclose sensitive information from memory. This vulnerability can be leveraged as part of an attack chain to achieve remote code execution running as the nobody user.
Critical Impact
This out-of-bounds read vulnerability can expose sensitive memory contents and potentially be chained with other vulnerabilities to achieve remote code execution on affected Squid proxy servers.
Affected Products
- Squid-cache Squid versions through 4.14
- Squid-cache Squid versions 5.x through 5.0.5
- Fedora 33 and 34 (bundled Squid packages)
- Debian Linux 10.0 and 11.0 (bundled Squid packages)
Discovery Timeline
- 2021-03-09 - CVE-2021-28116 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-28116
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read), occurring within Squid's WCCP protocol data handling code. The WCCP protocol is used for transparent redirection of traffic to web caches, and the vulnerable code path improperly validates bounds when processing WCCP protocol messages.
When Squid receives specially crafted WCCP protocol data, the parser fails to properly validate the length of input data before reading from memory buffers. This allows an attacker to trigger a read operation beyond the allocated buffer boundaries, potentially exposing sensitive information stored in adjacent memory regions.
The information disclosure itself may seem limited in isolation, but the Zero Day Initiative Advisory notes this vulnerability can be chained with other techniques to escalate to remote code execution. The attack executes in the context of the nobody user, which is the typical unprivileged account under which Squid runs.
Root Cause
The root cause of this vulnerability lies in insufficient bounds checking within the WCCP protocol message parser. When processing incoming WCCP data packets, the code reads data based on length fields within the protocol message without properly validating that these lengths fall within the actual allocated buffer size. This classic out-of-bounds read pattern allows memory disclosure when an attacker supplies malformed WCCP messages with manipulated length values.
Attack Vector
The attack is network-based and can be executed remotely without authentication. An attacker must be able to send WCCP protocol traffic to the vulnerable Squid server, which typically listens on UDP port 2048 for WCCP messages. The attack requires that WCCP functionality be enabled in the Squid configuration.
The attacker crafts malicious WCCP protocol packets with length fields designed to cause the parser to read beyond buffer boundaries. The disclosed memory contents are then returned to the attacker, potentially revealing sensitive information such as memory addresses, configuration data, or session information that could facilitate further exploitation.
For detailed technical analysis of the vulnerability mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2021-28116
Indicators of Compromise
- Unusual WCCP traffic patterns on UDP port 2048, particularly malformed or unusually sized packets
- Squid process crashes or unexpected memory access errors in logs
- Anomalous network connections to the Squid server from unexpected sources attempting WCCP communication
- Memory disclosure artifacts in network traffic responses from the Squid server
Detection Strategies
- Monitor WCCP protocol traffic (UDP port 2048) for malformed packets with abnormal length fields
- Implement network intrusion detection rules to identify potential WCCP exploitation attempts
- Review Squid access and cache logs for unusual error patterns or crashes
- Deploy endpoint detection to monitor for unexpected memory access patterns in the Squid process
Monitoring Recommendations
- Enable verbose logging for WCCP protocol handling in Squid configurations
- Implement network-level monitoring for WCCP traffic anomalies
- Set up alerting for Squid service crashes or restarts that may indicate exploitation attempts
- Monitor for reconnaissance activity targeting WCCP-enabled services on your network
How to Mitigate CVE-2021-28116
Immediate Actions Required
- Upgrade Squid to a patched version (versions after 4.14 for the 4.x branch, or after 5.0.5 for the 5.x branch)
- If WCCP functionality is not required, disable it in the Squid configuration to eliminate the attack surface
- Implement network-level filtering to restrict WCCP traffic to trusted sources only
- Apply vendor-supplied patches from your Linux distribution (Fedora, Debian, Gentoo)
Patch Information
Security patches are available from the Squid project and various Linux distributions. Consult the Squid Cache Version Information page for the latest patched versions. Distribution-specific fixes are available through:
Workarounds
- Disable WCCP entirely if not required by removing or commenting out wccp_router and wccp2_router directives
- Restrict WCCP traffic using firewall rules to only allow connections from trusted router IP addresses
- Deploy network segmentation to isolate Squid servers and limit exposure to untrusted WCCP traffic
- Consider deploying a Web Application Firewall (WAF) or IDS with rules to detect WCCP exploitation attempts
# Configuration example - Disable WCCP in squid.conf
# Comment out or remove any wccp_router directives:
# wccp_router 192.168.1.1
# wccp2_router 192.168.1.1
# If WCCP must be used, restrict to specific trusted routers only:
# wccp_router 10.0.0.1
# acl wccp_allowed src 10.0.0.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
