Quick Takeaways
- An attacker already authorized on a shared proxy can exploit the Squidbleed bug (CVE-2026-47729) to leak sensitive cleartext HTTP requests, including credentials and session tokens, by abusing a null-terminated string parsing flaw in the FTP directory-listing code.
- The exploit requires the attacker to control an FTP server that the proxy reaches on port 21, sending specially crafted directory listings that cause memory over-reads, potentially exposing victim data from the proxy’s memory buffers.
- The primary impact is confidentiality breach, with no known attacks affecting integrity or availability; patching involves verifying a null-terminator check fix, or disabling FTP support altogether to eliminate the attack surface.
Threat, Attack Techniques, and Targets
The vulnerability, named Squidbleed, affects the Squid web proxy. It results from a bug in how Squid parses FTP directory listings. Attackers who already have access to a shared proxy can exploit this flaw. They can leak other users’ cleartext HTTP requests, including credentials and session tokens. This happens because the bug allows memory over-read, exposing sensitive data.
The attack requires the attacker to control an FTP server. Both FTP and port 21 are enabled by default on most setups. The attacker’s FTP server must send specially crafted directory listings that end right after the timestamp with no filename. This causes Squid to read beyond the intended buffer and leak data from memory. The attack only impacts traffic that Squid can read, which excludes HTTPS traffic.
This threat mostly targets environments like schools, offices, and public Wi-Fi networks. In such environments, multiple users share the same proxy, enabling trusted users to exploit the vulnerability against each other.
Impact, Security Implications, and Remediation Guidance
The main impact is the potential leak of cleartext HTTP requests, which may contain sensitive information like credentials and session tokens. The vulnerability affects only certain configurations, so the overall risk is moderate. Because this flaw can be exploited by users already trusted to use the proxy, it does not affect external attackers directly.
To fix this issue, organizations should verify that their Squid version includes the proper patch. The fix involves adding a null-terminator check before the vulnerable code. The patch has been integrated into recent Squid versions, specifically in 7.6 and 7.7. It is recommended to confirm the patched version or check the specific build from your distribution.
The safest measure, according to researchers, is to disable FTP support entirely. Since most networks do not rely heavily on FTP, disabling it can eliminate this attack surface. For further guidance, users should consult their vendor or the official Squid documentation for instructions on applying the fix or disabling FTP.
Continue Your Tech Journey
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Stay inspired by the vast knowledge available on Wikipedia.
ThreatIntel-V1
