Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-41318

CVE-2022-41318: Squid-cache Information Disclosure Flaw

CVE-2022-41318 is an information disclosure vulnerability in Squid-cache Squid caused by a buffer over-read in libntlmauth. This flaw may expose cleartext credentials to clients. Learn about affected versions and fixes.

Published:

CVE-2022-41318 Overview

A buffer over-read vulnerability was discovered in libntlmauth within Squid proxy cache versions 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. This Out-of-Bounds Read vulnerability can result in cleartext credentials being sent to clients in certain configurations, posing a significant risk of sensitive information disclosure.

Critical Impact

Attackers can exploit this integer overflow flaw to trigger a buffer over-read condition, potentially leaking cleartext credentials and sensitive memory contents to unauthorized clients over the network.

Affected Products

  • Squid-cache Squid versions 2.5 through 5.6
  • Squid configurations using SSPI authentication helpers
  • Squid configurations using SMB authentication helpers

Discovery Timeline

  • 2022-12-25 - CVE-2022-41318 published to NVD
  • 2025-04-14 - Last updated in NVD database

Technical Details for CVE-2022-41318

Vulnerability Analysis

This vulnerability exists in the libntlmauth library component of Squid proxy cache. The core issue stems from improper integer-overflow protection when handling NTLM authentication requests. When processing authentication data, the affected code fails to properly validate integer boundaries, leading to a buffer over-read condition (CWE-190: Integer Overflow or Wraparound).

When exploited, the vulnerability allows an attacker to cause the SSPI and SMB authentication helpers to read memory beyond the intended buffer boundaries. In specific configurations, this memory may contain cleartext credentials or other sensitive data, which can then be inadvertently transmitted to a malicious client. The network-accessible nature of Squid proxy servers and the lack of authentication required to trigger this flaw increases the exposure risk significantly.

Root Cause

The root cause is an integer overflow vulnerability (CWE-190) in the NTLM authentication handling code within libntlmauth. The flawed integer-overflow protection mechanism fails to properly validate size calculations, allowing arithmetic overflow conditions that result in undersized buffer allocations or incorrect boundary checks. This creates a scenario where memory reads can extend beyond legitimate buffer boundaries.

Attack Vector

The attack is network-based and can be executed remotely without requiring authentication or user interaction. An attacker can craft malicious NTLM authentication requests that trigger the integer overflow condition. When the vulnerable code processes these requests, it reads beyond the allocated buffer, potentially capturing credentials or sensitive data stored in adjacent memory regions. The attacker receives this data as part of the authentication response, enabling credential theft or information disclosure.

The vulnerability is particularly dangerous in environments where:

  • Squid is configured with SSPI authentication on Windows systems
  • SMB authentication helpers are enabled
  • The proxy handles authentication for multiple users
  • Cleartext credentials may be present in memory

Detection Methods for CVE-2022-41318

Indicators of Compromise

  • Unusual NTLM authentication traffic patterns with malformed or oversized requests
  • Authentication errors or unexpected responses from SSPI/SMB helpers in Squid logs
  • Memory access violations or crashes in the libntlmauth library
  • Unexpected credential exposure reports from users authenticating through Squid

Detection Strategies

  • Monitor Squid access and cache logs for anomalous NTLM authentication request patterns
  • Implement network intrusion detection rules to identify malformed NTLM authentication packets
  • Deploy endpoint detection to monitor for unusual memory access patterns in Squid processes
  • Review authentication helper subprocess behavior for unexpected memory operations

Monitoring Recommendations

  • Enable verbose logging for NTLM authentication events in Squid configuration
  • Set up alerting for authentication helper crashes or restarts
  • Monitor network traffic for unusual authentication response sizes
  • Implement memory integrity monitoring on systems running vulnerable Squid versions

How to Mitigate CVE-2022-41318

Immediate Actions Required

  • Upgrade Squid to version 5.7 or later, which contains the official fix
  • Apply the appropriate vendor-provided patch for your Squid version
  • If upgrading is not immediately possible, consider disabling SSPI and SMB authentication helpers
  • Review and audit systems for potential credential exposure if exploitation is suspected

Patch Information

Squid-cache has released patches to address this vulnerability. The fix is included in Squid version 5.7. For systems running older versions, apply the appropriate patch:

Additional details are available in the GitHub Security Advisory GHSA-394c-rr7q-6g78 and the Openwall OSS-Security Email Discussion.

Workarounds

  • Disable NTLM authentication and use alternative authentication methods if feasible
  • Restrict network access to Squid proxy to trusted clients only using firewall rules
  • Implement network segmentation to limit exposure of the vulnerable service
  • Monitor authentication traffic closely for signs of exploitation attempts
bash
# Configuration example - Disable NTLM authentication helpers
# In squid.conf, comment out or remove NTLM auth helper configurations:
# auth_param ntlm program /usr/lib/squid/ntlm_smb_lm_auth
# auth_param ntlm children 5

# Alternatively, restrict access to trusted networks only:
acl trusted_networks src 10.0.0.0/8 192.168.0.0/16
http_access allow trusted_networks
http_access deny all

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.