SERVER-WEBAPP Squid authentication headers handling denial of service attempt
This alert is triggered when an adversary is attempting to exploit CVE-2005-2917 a denial of service vulnerability in the Squid proxy server, specifically related to how it handles authentication headers. Squid is a widely-used proxy server that helps organizations increase their web performance by caching web content and also providing filtering capabilities. The vulnerability is linked to how Squid handles "Proxy-Authorization" headers with "NTLM" authentication.
ID Number
17370
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SERVER-WEBAPP Squid authentication headers handling denial of service attempt"; flow:to_server,established; content:"Proxy-Authorization: NTLM"; fast_pattern:only; flowbits:set,ntlm_authentication; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:bugtraq,14977; reference:cve,2005-2917; classtype:protocol-command-decode; sid:17370; rev:12;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended to immediately identify the Squid proxy server receiving this traffic and verify if it's running a vulnerable version. If vulnerable, consider updating or patching Squid to mitigate this vulnerability.
Also, consider blocking the source IP.