CVE-2023-46724
Summary
Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4, when compiled with `--with-openssl`, are vulnerable to a Denial of Service attack. A remote server can exploit this by sending a specially crafted SSL certificate during a TLS handshake to crash the Squid proxy. The vulnerability affects HTTPS and SSL-Bump configurations and is fixed in Squid version 6.4.
IFF Assessment
This vulnerability allows for a denial of service attack, directly impacting the availability of Squid proxy services.
Severity
Defender Context
This denial of service vulnerability in Squid proxies can disrupt critical network services that rely on it for caching and SSL/TLS inspection. Defenders should prioritize patching affected Squid instances to version 6.4 or later, or apply provided patches, and monitor network traffic for unusual TLS handshake attempts. This highlights the importance of regularly updating and securing proxy infrastructure, especially those handling SSL-Bump.