Squid, a Unix-based caching proxy, patched a handling server error. The vulnerability (CVE-2016-2390) allowed remote attackers to launch a denial-of-service (DoS) attack when connected to TLS or SSL servers. The flaw affects Linux and UNIX operating systems using Squid versions 3.5.13, 4.0.4, or 4.0.5.
“This problem allows any trusted client to perform a denial of service attack on the Squid service regardless of whether TLS or SSL is configured for use in the proxy,” according to a security advisory released by the company. “However, the bug is exploitable only if Squid is built using the --with-openssl option.”
Several workarounds are available. If users disable the service for https:// URLs entirely at the top of the squid.conf http_access rules, they will not be affected by the vulnerability. In addition, users can prevent the issue by relaying outgoing HTTPS traffic through a non-vulnerable proxy, unless the SSL-bump splice feature is used. Simple attacks can be prevented by disabling service for irregular HTTPS ports.