CVE-2023-46728: 
Squid vulnerability analysis and mitigation

CVE-2023-46728 affects Squid, a high-performance proxy caching server for web clients. Due to a NULL pointer dereference bug, Squid versions prior to 6.0.1 are vulnerable to a Denial of Service attack against Squid's Gopher gateway. The vulnerability was discovered in September 2023, with the gopher protocol being always available and enabled in affected versions (GitHub Advisory).

The vulnerability stems from a NULL pointer dereference in the gopher protocol code. It has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD).

Successful exploitation of this vulnerability can lead to a Denial of Service (DoS) condition. The vulnerability is particularly concerning as responses triggering this bug can be received from any gopher server, even those without malicious intent (GitHub Advisory).

The primary mitigation is to upgrade to Squid version 6.0.1 or later, where gopher support has been completely removed. For users unable to upgrade, a workaround is available by rejecting all gopher URL requests using the configuration: 'acl gopher proto gopher' followed by 'httpaccess deny gopher'. This configuration must be placed above any lines starting with 'httpaccess allow' (GitHub Advisory).

The vulnerability has prompted various organizations to take action. Red Hat and Fedora have released security updates to address this vulnerability along with other security issues. NetApp has also issued an advisory for their products that incorporate Squid (Red Hat Advisory, NetApp Advisory).