Critical Vulnerability Discovered in Tinyproxy Exposed by Over Half of Public Hosts
Recent reports have unveiled a significant security vulnerability within the Tinyproxy service, a widely utilized HTTP/HTTPS proxy tool, affecting over 50% of the 90,310 hosts identified as publicly exposing this service. This unpatched flaw, tracked as CVE-2023-49606, has garnered a critical CVSS score of 9.8 out of 10 according to Cisco Talos, indicating its severe implications. The vulnerability affects versions 1.10.0 and 1.11.1, the latter being the most recent release.
The vulnerability stems from a use-after-free error that can be triggered by specially crafted HTTP headers, potentially leading to memory corruption. This situation could allow unauthorized users to execute remote code following a specially structured HTTP request. Cisco Talos has emphasized that an attacker need only initiate an unauthenticated HTTP request to exploit this vulnerability effectively.
From data provided by Censys, it was noted that approximately 52,000 of the analyzed hosts—making up around 57%—were operating vulnerable versions of Tinyproxy as of May 3, 2024. The geographical distribution of these hosts indicates a majority located within the United States (32,846), followed by significant numbers in South Korea (18,358), China (7,808), France (5,208), and Germany (3,680).
In a disclosure surrounding this issue, Cisco Talos reported it as early as December 22, 2023. The organization has since released a proof-of-concept pertaining to the vulnerability, outlining how attackers might manipulate the flaw to induce crashes and in certain instances, execute code maliciously.
The Tinyproxy maintainers acknowledged the vulnerability in a series of recent commits, asserting that they were initially unaware of the situation until informed by a Debian package maintainer on May 5, 2024. They criticized Cisco Talos for allegedly forwarding the vulnerability report to an outdated email address, which delayed their awareness and subsequent patching efforts.
The advisory specifically indicates that an unauthenticated threat actor could initiate the attack by sending a malformed HTTP Connection header, resulting in memory corruption that could be weaponized for remote code execution. The absence of documentation or discussion regarding the vulnerability in community support channels such as GitHub and IRC has drawn additional scrutiny from Tinyproxy’s developers, suggesting that had these avenues been utilized for reporting, remedial measures could have been implemented swiftly.
As a resolution, users are urged to retrieve the latest version from the Tinyproxy GitHub repository or apply an immediate patch to version 1.11.1 until an official fix is released. It is also strongly advised that users configure their Tinyproxy service to avoid exposure to the public internet.
Fortunately, the maintainers have now officially rolled out Tinyproxy version 1.11.2, which addresses the critical use-after-free vulnerability, enabling affected organizations to bolster their defenses against potential exploitation.
As awareness of these kinds of vulnerabilities becomes increasingly crucial in the cybersecurity landscape, business owners should remain vigilant and proactive in applying updates and protecting their services. Utilizing frameworks such as the MITRE ATT&CK Matrix can provide valuable insights into the tactics and techniques used by adversaries, such as initial access and privilege escalation strategies that may be relevant to similar vulnerabilities.
