Fix Squid proxy vulnerabilities (CVE-2025-59362) on Ubuntu, Rocky, SUSE. Bash script + iptables workaround. Download free hardening checklist.
A short historical note: In April 2026, a series of Squid vulnerabilities (including CVE-2025-59362, CVE-2025-62168, and three new DoS flaws) were disclosed. If you still run Squid as a forward or reverse proxy, the fixes below remain the standard procedure for years to come.
1. How to check if you are vulnerable
Run these commands on your proxy server.
Ubuntu / Debian:
# Check Squid version squid -v | grep "Version" # Check for backported patch (Ubuntu USN-8157-1) apt list --installed 2>/dev/null | grep squid # Test for SNMP OID crash (CVE-2025-59362) squid -k check && echo "Config OK" || echo "Config error – but does not prove patch presence"
Rocky Linux / AlmaLinux / RHEL
# Check version and build rpm -q squid # See if patch is applied (look for CVE numbers in changelog) rpm -q --changelog squid | grep -E "CVE-2025-59362|CVE-2025-62168"
SUSE Linux Enterprise / openSUSE
# Check package version zypper info squid # Inspect patch status zypper patches | grep squid
Manual check for the ICP crash (CVE-2026-33526):
Look in /var/log/squid/cache.log for repeated lines like WARNING: ICP response with invalid length. That means you are vulnerable.
2. Automation script to apply the fix (bash – works on major distros)
Save this as fix-squid.sh and run it as root.
#!/bin/bash # Evergreen Squid Hardening Script – CVE-2025-59362, CVE-2025-62168, CVE-2026-33526/748/515 set -e # Detect OS if [ -f /etc/os-release ]; then . /etc/os-release OS=$ID VER=$VERSION_ID fi echo "==> Detected: $OS $VER" case $OS in ubuntu|debian) apt update apt install --only-upgrade squid -y ;; rocky|almalinux|rhel) dnf update squid -y ;; suse|opensuse-leap|opensuse-tumbleweed) zypper refresh zypper update -y squid ;; *) echo "Unsupported OS. Manually update squid from source or repo." exit 1 ;; esac # Restart and verify systemctl restart squid systemctl status squid --no-pager echo "==> Squid updated. Check version:" squid -v | head -n1 # Optional: test config for common mistakes squid -k parse
Make it executable and run:
chmod +x fix-squid.sh && sudo ./fix-squid.sh
3. Alternative mitigation if you can’t update now (immediate protection)
If you cannot restart the proxy or upgrade today, use these live workarounds.
🔥 iptables: block malformed ICP traffic (UDP 3130)
# Block all ICP requests (prevents CVE-2026-33526 and CVE-2026-32748) iptables -A INPUT -p udp --dport 3130 -j DROP iptables -A OUTPUT -p udp --sport 3130 -j DROP # Save rules (Ubuntu: netfilter-persistent, Rocky: iptables-save)
🛡️ AppArmor / SELinux: restrict Squid’s ability to leak credentials (mitigates CVE-2025-62168)
sudo aa-complain /etc/apparmor.d/usr.sbin.squid then enforce a custom profile that denies read on /etc/shadow and /var/private/.
SELinux Rocky Linux :
setsebool -P httpd_can_network_connect on and set squid_credential_leak to off (custom boolean – check getsebool -a | grep squid).
Reverse proxy config change: disable SNMP if not needed
In squid.conf:
# Comment out or set to "off" snmp_port 0 # Remove any "acl snmp_community" lines
Then squid -k reconfigure.
Suggested reading
You can patch today, but understanding Squid’s internal handling of malformed ASN.1 (CVE-2025-59362) requires deep C and network knowledge.
👉 Recommendation: “Squid: The Definitive Guide” by Duane Wessels (O’Reilly) – Amazon
Why this read is important
The only book that explains how ICP, SNMP, and credential caching work under the hood. It will help you audit custom builds and avoid future zero-days. (As an Amazon Associate I earn from qualifying purchases.)
Nenhum comentário:
Postar um comentário