in Breaking News, Business, hacking, hacking news, information security news, IT Information Security, Pierluigi Paganini, Security, Security Affairs, Security News

Most Tinyproxy Instances are potentially vulnerable to flaw CVE-2023-49606

1.2k Views

Most Tinyproxy Instances are potentially vulnerable to flaw CVE-2023-49606

A critical Remote Code Execution vulnerability in the Tinyproxy service potentially impacted 50,000 Internet-Exposing hosts.

Researchers from Cisco Talos reported a use-after-free vulnerability in the HTTP Connection Headers parsing of Tinyproxy 1.11.1 and Tinyproxy 1.10.0. The issue is tracked asĀ CVE-2023-49606 and received a CVSS score of 9.8. The exploitation of the issue can potentially lead to remote code execution.

ā€œA specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.ā€ reads the advisory.

Tinyproxy is an open-source HTTP proxy daemon designed for simplicity and efficiency.

The vulnerability impacts over 90,000 hosts that expose aĀ Tinyproxy serviceĀ on the internet. Talos researchers published a proof-of-concept exploit code for this vulnerability.

ā€œAs ofĀ May 3, 2024, Censys observed overĀ 90,000 hostsĀ exposing a Tinyproxy service,Ā ~57%Ā of which are potentially vulnerable to this exploit.ā€ reads the report.Ā 

Most of the exposed hosts are in the United States, followed by South Korea and China.

Country Host Count Percentage
United States 32846 36.37%
South Korea 18358 20.33%
China 7808 8.65%
France 5208 5.77%
Germany 3680 4.07%

Maintainers of the project temporarily addressed the issue with the release of version 1.11.1. tinyproxy 1.11.2 release will definitively fix the issue.

  • ā€œthe issue is fixed in master with commitĀ 12a8484

the code may appear naive, but it allows to circumvent the allocation of more memory which could fail again. the straight-forward fix would be to strdup the value retrieved from the key/value store, and then work on that and free it later.

  • the code is only triggered after access list checks and authentication have succeeded.
    so if you use basic auth with a reasonably secure password or allow only specific trusted hosts you wonā€™t have to worry. same if your proxy is only available on a trusted private network, like inside a corporate environment (you gotta trust your employees anyway).

so it seems most tinyproxy users wonā€™t have to worry ā€“ because who runs an entirely open proxy on the open internet these days ?ā€

What do you think?

0 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

UK Ministry of Defense disclosed a third-party data breach exposing military personnel dataĀ 

LiteSpeed Cache WordPress plugin actively exploited in the wild