A critical Remote Code Execution vulnerability in the Tinyproxy service potentially impacted 50,000 Internet-Exposing hosts.
Researchers from Cisco Talos reported a use-after-free vulnerability in the HTTP Connection Headers parsing of Tinyproxy 1.11.1 and Tinyproxy 1.10.0. The issue is tracked as CVE-2023-49606 and received a CVSS score of 9.8. The exploitation of the issue can potentially lead to remote code execution.
“A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.” reads the advisory.
Tinyproxy is an open-source HTTP proxy daemon designed for simplicity and efficiency.
The vulnerability impacts over 90,000 hosts that expose a Tinyproxy service on the internet. Talos researchers published a proof-of-concept exploit code for this vulnerability.
“As of May 3, 2024, Censys observed over 90,000 hosts exposing a Tinyproxy service, ~57% of which are potentially vulnerable to this exploit.” reads the report.
Most of the exposed hosts are in the United States, followed by South Korea and China.
Country | Host Count | Percentage |
United States | 32846 | 36.37% |
South Korea | 18358 | 20.33% |
China | 7808 | 8.65% |
France | 5208 | 5.77% |
Germany | 3680 | 4.07% |
Maintainers of the project temporarily addressed the issue with the release of version 1.11.1. tinyproxy 1.11.2 release will definitively fix the issue.
- “the issue is fixed in master with commit 12a8484
the code may appear naive, but it allows to circumvent the allocation of more memory which could fail again. the straight-forward fix would be to strdup the value retrieved from the key/value store, and then work on that and free it later.
- the code is only triggered after access list checks and authentication have succeeded.
so if you use basic auth with a reasonably secure password or allow only specific trusted hosts you won’t have to worry. same if your proxy is only available on a trusted private network, like inside a corporate environment (you gotta trust your employees anyway).
so it seems most tinyproxy users won’t have to worry – because who runs an entirely open proxy on the open internet these days ?”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)