Researchers have identified a critical vulnerability in Squid Proxy, known as Squidbleed, which has existed since 1997. This vulnerability, discovered with the help of Anthropic’s Claude Mythos Preview AI, poses a significant security risk by potentially leaking HTTP headers, such as passwords and API keys, when exploited.
Discovery of the Squidbleed Vulnerability
The Squidbleed vulnerability impacts all default-configured versions of Squid Proxy, having remained undetected for nearly 30 years. It originates from a flaw in Squid’s FTP directory listing parser, which leads to a heap buffer overread. This flaw allows the proxy to inadvertently expose another user’s HTTP request data during an FTP directory listing response.
The vulnerability traces back to a code commit from January 1997, intended to accommodate NetWare FTP servers. The issue arises from a while loop that fails to properly handle null terminators, resulting in the reading of memory beyond the allocated buffer.
Technical Details and Exploitation
The Squidbleed vulnerability results in a confirmed heap overread of up to 4,065 bytes. This occurs because when a 4KB buffer is freed, it may be reused without zeroing, retaining previous data that can be leaked if accessed improperly. Attackers could exploit this by controlling an FTP server and crafting a directory listing that prompts the overread.
For the attack to succeed, FTP support must be active, and the attacker’s server must be accessible via TCP port 21 through the proxy. Additionally, the victim’s traffic must be cleartext HTTP for the data to be exposed.
Mitigation and AI’s Role in Discovery
To mitigate the risk, a one-line patch has been introduced to check for null values before handling strings. Administrators are advised to disable FTP support unless absolutely necessary, given its reduced relevance in modern web traffic.
This discovery highlights the potential of AI in security audits, as the AI model identified the subtle issue quickly. It follows a trend of AI-assisted identification of vulnerabilities, as seen with a previous HTTP/2 flaw discovered using similar methods.
As AI continues to play a pivotal role in cybersecurity, researchers and administrators are encouraged to adopt these technologies to enhance security measures and promptly address vulnerabilities.
