CVE-2024-25617: 
Squid vulnerability analysis and mitigation

CVE-2024-25617 (SQUID-2024:2) affects Squid, an open source caching proxy for the Web supporting HTTP, HTTPS, and FTP. The vulnerability was discovered by Joshua Rogers of Opera Software and was disclosed on February 14, 2024. This vulnerability affects Squid versions prior to 6.5 and is related to a Collapse of Data into Unsafe Value bug in HTTP header parsing (GitHub Advisory).

The vulnerability stems from improper handling of HTTP header parsing when dealing with oversized headers in HTTP messages. The issue occurs when the request_header_max_size or reply_header_max_size settings are left at their default values (64KB) in versions prior to 6.5. The vulnerability has received a CVSS v3.1 base score of 7.5 HIGH with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H according to NVD assessment (NVD).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition. The attack can be initiated by either a remote client or a remote server sending oversized headers in HTTP messages, potentially affecting the availability of the Squid proxy service (GitHub Advisory).

For Squid versions older than 6.5, administrators can mitigate the vulnerability by adding the following configuration to squid.conf: request_header_max_size 21 KB and reply_header_max_size 21 KB. For Squid 6.5 and later, the default settings are safe, but administrators should remove any custom request_header_max_size and reply_header_max_size configurations from squid.conf. The vulnerability is fully patched in Squid version 6.5 (GitHub Advisory).

Various vendors have responded to this vulnerability by releasing security advisories and patches. Red Hat has classified this as an Important security issue and released updates for affected versions (Red Hat Advisory). NetApp has also acknowledged the vulnerability in their BlueXP product and released fixes in version 3.9.39 (NetApp Advisory).