Critical Vulnerability in Tinyproxy Exposes Over 50,000 Hosts to Risk of Remote Code Execution
May 6, 2024
A severe unpatched security flaw, identified as CVE-2023-49606, in the HTTP/HTTPS proxy tool Tinyproxy has left more than half of roughly 90,310 hosts exposed to potential security breaches. This vulnerability, as described by Cisco Talos, is a use-after-free bug affecting versions 1.10.0 and 1.11.1 of Tinyproxy.
"A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution," stated the advisory from Talos. This means an unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP Connection header, resulting in memory corruption and possible remote code execution.
As per data from attack surface management firm Censys, about 57% of the 90,310 hosts, or roughly 52,000, that are publicly exposing a Tinyproxy service are running a vulnerable version of the tool. The majority of these exposed hosts are situated in the U.S., South Korea, China, France, and Germany.
Cisco Talos, which reported the issue on December 22, 2023, also released a proof-of-concept (PoC) for the flaw. This PoC demonstrates how parsing issues with HTTP Connection connections could be exploited to trigger a system crash and, in some instances, execute code.
The Tinyproxy maintainers, in a series of commits over the recent weekend, criticized Talos for sending the report to a possibly "outdated email address." They were informed about the issue by a Debian Tinyproxy package maintainer on May 5, 2024. One of the maintainers expressed, "If the issue had been reported on Github or IRC, the bug would have been fixed within a day."
Users are urged to upgrade to the newest version of Tinyproxy once it becomes available and to avoid exposing the Tinyproxy service to the public internet.
Latest News
- China-Linked Actors Suspected in ArcaneDoor Cyber Espionage Targeting Network Devices
- NATO and EU Condemn APT28's Cyber Espionage Operations
- Goldoon Botnet Exploits Old D-Link Router Vulnerability for Further Attacks
- Active Exploitation of GitLab Vulnerability: CISA Issues Warning
- Rise in USB-Based Cyberattacks on Operational Technology Systems
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.