Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

More than 50% of the 90,310 hosts have been found exposing a Tinyproxy service on the internet that’s vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool.

The issue, tracked as CVE-2023-49606, carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, the latter of which is the latest version.

“A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution,” Talos said in an advisory last week. “An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.”

In other words, an unauthenticated threat actor could send a specially crafted HTTP Connection header to trigger memory corruption that can result in remote code execution.

According to data shared by attack surface management company Censys, of the 90,310 hosts exposing a Tinyproxy service to the public internet as of May 3, 2024, 52,000 (~57%) of them are running a vulnerable version of Tinyproxy.

A majority of the publicly-accessible hosts are located in the U.S. (32,846), South Korea (18,358), China (7,808), France (5,208), and Germany (3,680).

Users are advised to pull the latest master branch from git or manually apply the aforementioned commit as a patch on version 1.11.1 until Tinyproxy 1.11.2 is made available. It’s also recommended that the Tinyproxy service is not exposed to the public internet.