CVE-2021-28116: 
Squid vulnerability analysis and mitigation

CVE-2021-28116 affects Squid versions through 4.14 and 5.x through 5.0.5. The vulnerability is an information disclosure issue caused by an out-of-bounds read in WCCP (Web Cache Communication Protocol) protocol data. The vulnerability was discovered by Lyu working with Trend Micro Zero Day Initiative and was fixed by Amos Jeffries of Treehouse Networks Ltd (ZDI Advisory, GitHub Advisory).

The vulnerability stems from improper validation of user-supplied data in the WCCP protocol handling, which can result in a read past the end of an allocated buffer. The issue has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) by NVD with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, while MITRE assigned a score of 3.7 (LOW) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows a WCCPv2 sender to corrupt Squid's list of known WCCP routers and potentially divert client traffic to attacker-controlled routers. This can lead to information disclosure and could be leveraged as part of a chain for remote code execution as the 'nobody' user. The attack is limited to Squid proxy installations with WCCPv2 enabled and requires the ability to spoof IP addresses of trusted routers configured in squid.conf (GitHub Advisory).

Several mitigation options are available: 1) Use private IP addresses for control communications with routers, 2) Implement firewall restrictions on UDP traffic port 2048 and other WCCP control message ports, 3) Implement BCP 38 spoofing protection including LAN traffic protection, 4) Build Squid with --disable-wccpv2, or 5) Remove all wccp2_* directives from squid.conf. The vulnerability is fixed in Squid versions 4.17 and 5.2 (GitHub Advisory).