CVE-2023-46724: 
Squid vulnerability analysis and mitigation

CVE-2023-46724 affects Squid, a caching proxy for the Web. The vulnerability was discovered in versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 that were compiled using --with-openssl. The issue was disclosed in November 2023 and involves an Improper Validation of Specified Index bug in SSL Certificate validation (Vendor Advisory).

The vulnerability stems from an Improper Validation of Specified Index bug that affects SSL Certificate validation in Squid. The issue received a CVSS v3.1 base score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. The vulnerability specifically affects installations compiled with SSL support using the --with-openssl configuration option (Vendor Advisory).

When successfully exploited, this vulnerability allows a remote server to perform a Denial of Service (DoS) attack against the Squid Proxy. The attack vector is specifically limited to HTTPS and SSL-Bump operations, where an attacker can initiate a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain (Vendor Advisory).

There are two primary mitigation options available: 1) Disable SSL-Bump features by removing all ssl-bump options from httpport and httpsport configurations and removing all ssl_bump directives from squid.conf, or 2) Rebuild Squid using --without-openssl. The vulnerability has been fixed in Squid version 6.4, and patches are available for stable releases in the patch archives (Vendor Advisory).