Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

More than 50% of the 90,310 hosts have been found exposing a Tinyproxy service on the internet that’s vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool.

The issue, tracked as CVE-2023-49606, carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, the latter of which is the latest version.

“A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution,” Talos said in an advisory last week. “An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.”

In other words, an unauthenticated threat actor could send a specially crafted HTTP Connection header to trigger memory corruption that can result in remote code execution.

According to data shared by attack surface management company Censys, of the 90,310 hosts exposing a Tinyproxy service to the public internet as of May 3, 2024, 52,000 (~57%) of them are running a vulnerable version of Tinyproxy.

A majority of the publicly-accessible hosts are located in the U.S. (32,846), South Korea (18,358), China (7,808), France (5,208), and Germany (3,680).

Talos, which reported the issue to December 22, 2023, has also released a proof-of-concept (PoC) for the flaw, describing how the issue with parsing HTTP Connection connections could be weaponized to trigger a crash and, in some cases, code execution.

The maintainers of Tinyproxy, in a set of commits made over the weekend, called out Talos for sending the report to a likely “outdated email address,” adding they were made aware by a Debian Tinyproxy package maintainer on May 5, 2024.

“No GitHub issue was filed, and nobody mentioned a vulnerability on the mentioned IRC chat,” rofl0r said in a commit. “If the issue had been reported on Github or IRC, the bug would have been fixed within a day.”

Update: Fix Available

Users are advised to pull the latest master branch from git or manually apply the aforementioned commit as a patch on version 1.11.1 until Tinyproxy 1.11.2 is made available. It’s also recommended that the Tinyproxy service is not exposed to the public internet.

Tinyproxy version 1.11.2 now available

Tinyproxy maintainers have officially released version 1.11.2 to fix the critical use-after-free bug that could enable an unauthenticated attacker to achieve remote code execution.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.