A security flaw in the popular proxy service leaves 50,000 hosts vulnerable
More than half of Tinyproxy service hosts are running a flawed version that hackers can use in remote code execution attacks, a new report from researchers at Cisco Talos claims.
Tinyproxy is a lightweight HTTP/HTTPS proxy server that is commonly used to improve Internet access speed by caching frequently used web pages, filtering out unwanted content and providing anonymity.
The tool is often used in home networks, small businesses or on personal servers.
Thousands of vulnerable endpoints
In its findings, Cisco Talos said Tinyproxy versions 1.10.0 and 1.11.1 were vulnerable to CVE-2023-49606, a use-after-free bug with a severity score of 9.8.
“A specially crafted HTTP header can trigger reuse of previously freed memory, leading to memory corruption and potentially leading to remote code execution,” the researchers explain in their report. report. “An attacker must make an unauthenticated HTTP request to trigger this vulnerability.”
Citing data from attack surface management expert Censys, The HackerNews reported that of the 90,310 hosts that exposed a Tinyproxy service on the public Internet, 57% (52,000) were running a vulnerable version of the tool. The most are in the US (32,846), followed by South Korea (18,358), China (7,808), France (5,208) and Germany (3,608).
In the days immediately following Talos’ report, Tinyproxy’s administrators made a number of commitments, criticizing the researchers for trying to contact them using an “outdated email address.” They added that an maintainer of the Debian Tinyproxy package tipped them off on Sunday.
“No GitHub issue was submitted and no one mentioned a vulnerability in the mentioned IRC chat,” rofl0r said in a commit. “If the issue had been reported on Github or IRC, the bug would have been resolved within a day.”
Users are advised to apply the patch as soon as it becomes available.