More than half of Tinyproxy service hosts run a faulty version that hackers could use in remote code execution attacks, a new report from Cisco Talos researchers claims.
Tinyproxy is a lightweight HTTP/HTTPS proxy server that is commonly used to improve Internet access speed by caching frequently accessed web pages, filtering unwanted content, and providing anonymity.
The tool is often used in home networks, small businesses, or personal servers.
Thousands of vulnerable endpoints
In its findings, Cisco Talos said that Tinyproxy versions 1.10.0 and 1.11.1 were vulnerable to CVE-2023-49606, a use-after-free bug with a severity score of 9.8.
“A specially crafted HTTP header can trigger the reuse of previously freed memory, leading to memory corruption and could lead to remote code execution,” the researchers explained in their report. “An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.”
Citing data from attack surface management expert Censys, TheHackerNews reported that of the 90,310 hosts exposing a Tinyproxy service to the public Internet, 57% (52,000) were running a vulnerable version of the tool. The majority are in the US (32,846), followed by South Korea (18,358), China (7,808), France (5,208) and Germany (3,608).
In the days immediately following the Talos report, Tinyproxy maintainers made some commits, criticizing the researchers for attempting to communicate via an “outdated email address.” They added that a maintainer of the Debian Tinyproxy package notified them on Sunday.
“No GitHub issue was raised and no one mentioned a vulnerability in the mentioned IRC chat,” rofl0r said in a commit. “If the issue had been reported on Github or IRC, the bug would have been fixed within a day.”
Users are recommended to apply the patch as soon as it is available.
