CVE-2022-41318 Overview
A buffer over-read vulnerability was discovered in libntlmauth within Squid proxy cache versions 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. This Out-of-Bounds Read vulnerability can result in cleartext credentials being sent to clients in certain configurations, posing a significant risk of sensitive information disclosure.
Critical Impact
Attackers can exploit this integer overflow flaw to trigger a buffer over-read condition, potentially leaking cleartext credentials and sensitive memory contents to unauthorized clients over the network.
Affected Products
- Squid-cache Squid versions 2.5 through 5.6
- Squid configurations using SSPI authentication helpers
- Squid configurations using SMB authentication helpers
Discovery Timeline
- 2022-12-25 - CVE-2022-41318 published to NVD
- 2025-04-14 - Last updated in NVD database
Technical Details for CVE-2022-41318
Vulnerability Analysis
This vulnerability exists in the libntlmauth library component of Squid proxy cache. The core issue stems from improper integer-overflow protection when handling NTLM authentication requests. When processing authentication data, the affected code fails to properly validate integer boundaries, leading to a buffer over-read condition (CWE-190: Integer Overflow or Wraparound).
When exploited, the vulnerability allows an attacker to cause the SSPI and SMB authentication helpers to read memory beyond the intended buffer boundaries. In specific configurations, this memory may contain cleartext credentials or other sensitive data, which can then be inadvertently transmitted to a malicious client. The network-accessible nature of Squid proxy servers and the lack of authentication required to trigger this flaw increases the exposure risk significantly.
Root Cause
The root cause is an integer overflow vulnerability (CWE-190) in the NTLM authentication handling code within libntlmauth. The flawed integer-overflow protection mechanism fails to properly validate size calculations, allowing arithmetic overflow conditions that result in undersized buffer allocations or incorrect boundary checks. This creates a scenario where memory reads can extend beyond legitimate buffer boundaries.
Attack Vector
The attack is network-based and can be executed remotely without requiring authentication or user interaction. An attacker can craft malicious NTLM authentication requests that trigger the integer overflow condition. When the vulnerable code processes these requests, it reads beyond the allocated buffer, potentially capturing credentials or sensitive data stored in adjacent memory regions. The attacker receives this data as part of the authentication response, enabling credential theft or information disclosure.
The vulnerability is particularly dangerous in environments where:
- Squid is configured with SSPI authentication on Windows systems
- SMB authentication helpers are enabled
- The proxy handles authentication for multiple users
- Cleartext credentials may be present in memory
Detection Methods for CVE-2022-41318
Indicators of Compromise
- Unusual NTLM authentication traffic patterns with malformed or oversized requests
- Authentication errors or unexpected responses from SSPI/SMB helpers in Squid logs
- Memory access violations or crashes in the libntlmauth library
- Unexpected credential exposure reports from users authenticating through Squid
Detection Strategies
- Monitor Squid access and cache logs for anomalous NTLM authentication request patterns
- Implement network intrusion detection rules to identify malformed NTLM authentication packets
- Deploy endpoint detection to monitor for unusual memory access patterns in Squid processes
- Review authentication helper subprocess behavior for unexpected memory operations
Monitoring Recommendations
- Enable verbose logging for NTLM authentication events in Squid configuration
- Set up alerting for authentication helper crashes or restarts
- Monitor network traffic for unusual authentication response sizes
- Implement memory integrity monitoring on systems running vulnerable Squid versions
How to Mitigate CVE-2022-41318
Immediate Actions Required
- Upgrade Squid to version 5.7 or later, which contains the official fix
- Apply the appropriate vendor-provided patch for your Squid version
- If upgrading is not immediately possible, consider disabling SSPI and SMB authentication helpers
- Review and audit systems for potential credential exposure if exploitation is suspected
Patch Information
Squid-cache has released patches to address this vulnerability. The fix is included in Squid version 5.7. For systems running older versions, apply the appropriate patch:
- Squid Version 4.x: Apply the Squid Patch for Version 4
- Squid Version 5.x: Apply the Squid Patch for Version 5
Additional details are available in the GitHub Security Advisory GHSA-394c-rr7q-6g78 and the Openwall OSS-Security Email Discussion.
Workarounds
- Disable NTLM authentication and use alternative authentication methods if feasible
- Restrict network access to Squid proxy to trusted clients only using firewall rules
- Implement network segmentation to limit exposure of the vulnerable service
- Monitor authentication traffic closely for signs of exploitation attempts
# Configuration example - Disable NTLM authentication helpers
# In squid.conf, comment out or remove NTLM auth helper configurations:
# auth_param ntlm program /usr/lib/squid/ntlm_smb_lm_auth
# auth_param ntlm children 5
# Alternatively, restrict access to trusted networks only:
acl trusted_networks src 10.0.0.0/8 192.168.0.0/16
http_access allow trusted_networks
http_access deny all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
