More than 52,000 Tinyproxy hosts that can be found on the Internet are vulnerable to the critical RCE vulnerability CVE-2023-49606, recently discovered in an open source proxy server.
Tinyproxy is an open source proxy server for HTTP and HTTPS designed to be fast and lightweight. It is designed for UNIX systems and is widely used by small businesses, public Wi-Fi providers, and home users.
Advertisement
Cisco Talos Experts warn about critical issue CVE-2023-49606 (CVSS score 9.8). This use-after-free vulnerability was discovered by researchers back in December 2023 and affects Tinyproxy versions 1.11.1 (latest) or 1.10.0.
The Cisco report contains detailed information about the vulnerability, including examples of exploits that crash the server and could potentially lead to remote code execution.
The researchers write that the problem is related to the remove_connection_headers() function, where certain HTTP headers (Connection and Proxy-Connection) are not processed correctly. As a result, using a simple HTTP request (for example, Connection: Connection), which does not require authentication, the vulnerability can be exploited.
According to Censys, there are about 90,000 Tinyproxy hosts on the Internet, of which about 57% are vulnerable to the CVE-2023-49606 issue. Thus, 18,372 instances are running the vulnerable version 1.11.1, and another 1,390 instances are running version 1.10.0.
Advertisement
Most of them are located in the USA (11,946), South Korea (3,732), China (675), France (300) and Germany (150).
The Tinyproxy maintainers released a patch for CVE-2023-49606 only five days after the Cisco bug was publicly disclosed. The fix corrects memory management, preventing exploitation of the bug.
At the same time, the maintainer Tinyproxy assertsthat he did not receive any information from Cisco prior to the public disclosure of the vulnerability. Meinener speculates that the researchers simply “pulled a random email address from the git log and sent the email there.”
“This is a pretty nasty bug that could potentially lead to RCE, although I haven't seen a working exploit yet,” writes Tinyproxy maintainer. “What the vulnerability does allow is to launch a DoS attack on the server if Tinyproxy either uses musl libc 1.2+ (whose enhanced memory allocator automatically detects UAF) or is built with an address sanitizer.”
Commit (12a8484), containing a fix, applies to the upcoming version 1.11.2. Therefore, those who urgently need a patch can pull changes from the master branch or apply the fix manually until Tinyproxy 1.11.2 is available to everyone.