Tinyproxy critical vulnerability exposes over 50,000 servers to remote code execution
Take action: If you are using Tinyproxy, it may be wise to isolate it from internet access until patched. The critical flaw already has a PoC, so automatic attacks are coming very soon. And follow the Tinyproxy releases for a patch and update ASAP.
Learn More
A critical vulnerability in Tinyproxy, a popular HTTP/HTTPS proxy tool, affects versions 1.10.0 and 1.11.1, the latest version. This flaw, tracked as CVE-2023-49606, (CVSS score 9.8). Cisco Talos discovered that the vulnerability can be exploited by sending a specially crafted HTTP header, causing memory corruption and potentially leading to remote code execution.
An unauthenticated attacker can send a maliciously constructed HTTP Connection header to trigger the reuse of previously freed memory, resulting in memory corruption and, ultimately, remote code execution. This flaw allows attackers to exploit the service without authentication.
Data from Censys, an attack surface management company, revealed that of the 90,310 hosts exposing Tinyproxy to the public internet as of May 3, 2024, around 52,000 (~57%) are running vulnerable versions. These hosts are predominantly located in
- United States (32,846)
- South Korea (18,358)
- China (7,808)
- France (5,208)
- Germany (3,680).
Cisco Talos initially reported the flaw on December 22, 2023, but Tinyproxy's maintainers were not aware due to outdated contact information. They were informed on May 5, 2024, by a Debian Tinyproxy package maintainer. The maintainers noted that if the issue had been reported directly via GitHub or IRC, it would have been resolved quickly.
Users are strongly advised to update to the latest version once it becomes available. Additionally, it's recommended that Tinyproxy is not exposed to the public internet to minimize risk. Talos also published a proof-of-concept (PoC) to demonstrate how the flaw can be used to crash the service or execute malicious code.
