CVE-2020-8517: 
Squid vulnerability analysis and mitigation

An issue was discovered in Squid before version 4.10 (CVE-2020-8517). Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. The vulnerability was discovered and reported on February 2, 2020, affecting multiple versions including Squid 2.x through 2.7.STABLE9, Squid 3.x through 3.5.28, and Squid 4.x through 4.9 (Squid Advisory).

The vulnerability stems from incorrect buffer management in the ext_lm_group_acl component when processing NTLM Authentication credentials. The issue occurs specifically in the NTLM authentication credentials parser, which can write to memory outside the designated credentials buffer. This vulnerability has been assigned a CVSS v3.1 score of 7.5 (HIGH) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

On systems with memory access protections, this vulnerability can result in the helper process being terminated unexpectedly, which leads to the Squid process also terminating. This causes a denial of service condition affecting all clients using the proxy (Squid Advisory).

There are two possible workarounds: either remove 'auth_param NTLM ...' configuration settings from squid.conf, or use ext_lm_group_acl binary built from Squid-4.10 or later versions. The vulnerability has been fixed in Squid version 4.10. Users are advised to upgrade to this version or apply appropriate patches for their specific version (Squid Advisory).