Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers.
The vulnerability allows attackers to compromise connections using a maliciously-crafted packet. A patch has been produced for daily versions but not yet distributed for regular builds, according to researchers.
Chen says the attack can be executed against versions 3.5.12 and below using malicious Flash advertisements.
"The attack enables cache poisoning of ANY unencrypted HTTP website," Chen says.
"The scenario requires an attacker who can send HTTP requests that pass through a shared transparent cache controlled by the attacker" before hitting a victim site. It's not hard to stage the attack as "... attackers can readily obtain the necessary vantage point using techniques such as web ads."
Researchers at Positive Security say the attack is severe adding that many internet providers use Squid as a transparent proxy. Here's their worries, writ large:
"For successful exploitation, an attacker must be able to send requests to some website (like attack.com) through the proxy server. Under this scenario, the attacker first establishes a TCP connection with the attack.com web server. As far as Squid works in transparent proxy mode, these requests are intercepted and transmitted further. At the next stage, the attacker initiates the following HTTP request:
GET http://victim.com/ HTTP/1.1 Host: attack.com
The cache module uses the host address from the request string (victim.com) to create the key; however, the verification module uses the Host header (attack.com) to check the communication between the host and the IP address. This is what makes the attack possible.