CVE-2020-24606
First published: Mon Aug 24 2020(Updated: )
Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/squid | <=4.6-1<=4.12-1<=4.6-1+deb10u3 | 4.13-1 4.6-1+deb10u4 |
| Squid-Cache Squid | >=3.0<4.13 | |
| Squid-Cache Squid | >=5.0.1<5.0.4 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 | |
| IBM Security Guardium | <=10.5 | |
| IBM Security Guardium | <=10.6 | |
| IBM Security Guardium | <=11.0 | |
| IBM Security Guardium | <=11.1 | |
| IBM Security Guardium | <=11.2 | |
| IBM Security Guardium | <=11.3 | |
| ubuntu/squid | <4.10-1ubuntu1.2 | 4.10-1ubuntu1.2 |
| ubuntu/squid | <4.13-1ubuntu1 | 4.13-1ubuntu1 |
| ubuntu/squid | <4.13-1ubuntu1 | 4.13-1ubuntu1 |
| ubuntu/squid3 | <3.5.27-1ubuntu1.9 | 3.5.27-1ubuntu1.9 |
| ubuntu/squid3 | <3.5.12-1ubuntu7.15 | 3.5.12-1ubuntu7.15 |
| debian/squid | 4.6-1+deb10u7 4.6-1+deb10u10 4.13-10+deb11u2 4.13-10+deb11u3 5.7-2 5.7-2+deb12u1 6.6-1 6.9-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
- http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch
- https://security-tracker.debian.org/tracker/CVE-2020-15811
- https://security-tracker.debian.org/tracker/CVE-2020-15810
- https://security-tracker.debian.org/tracker/CVE-2020-24606
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968933
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/
- https://security.netapp.com/advisory/ntap-20210219-0007/
- https://security.netapp.com/advisory/ntap-20210226-0006/
- https://security.netapp.com/advisory/ntap-20210226-0007/
- https://usn.ubuntu.com/4477-1/
- https://usn.ubuntu.com/4551-1/
- https://www.debian.org/security/2020/dsa-4751
- https://launchpad.net/bugs/cve/CVE-2020-24606
- https://exchange.xforce.ibmcloud.com/vulnerabilities/187152
- https://www.ibm.com/support/pages/node/6455281 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/
- https://ubuntu.com/security/notices/USN-4477-1
- https://ubuntu.com/security/notices/USN-4551-1
- https://www.cve.org/CVERecord?id=CVE-2020-24606
- https://nvd.nist.gov/vuln/detail/CVE-2020-24606
- https://ubuntu.com/security/CVE-2020-24606
Frequently Asked Questions
What is CVE-2020-24606?
CVE-2020-24606 is a vulnerability in Squid, a cache proxy server, that allows a trusted peer to perform a Denial of Service attack by consuming all available CPU cycles.
Which versions of Squid are affected by CVE-2020-24606?
Squid versions before 4.13 and 5.x before 5.0.4 are affected by CVE-2020-24606.
How severe is CVE-2020-24606?
CVE-2020-24606 has a severity rating of 8.6 (high).
What is the recommended fix for CVE-2020-24606?
To fix CVE-2020-24606, it is recommended to update Squid to version 4.13 or 5.0.4 or later.
Where can I find more information about CVE-2020-24606?
More information about CVE-2020-24606 can be found on the official Squid website and the OpenSUSE security announcements.
- collector/debian-bugs
- alias/CVE-2020-24606
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/ibm-support
- agent/software-canonical-lookup-request
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/tags
- agent/event
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/debian
- vendor/squid-cache
- canonical/squid-cache squid
- version/squid-cache squid/3.0
- version/squid-cache squid/5.0.1
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2
- vendor/ibm
- canonical/ibm security guardium
- version/ibm security guardium/10.5
- version/ibm security guardium/10.6
- version/ibm security guardium/11.0
- version/ibm security guardium/11.1
- version/ibm security guardium/11.2
- version/ibm security guardium/11.3
- package-manager/ubuntu