A staggering proportion exceeding half of the 90,310 systems have been detected harboring an exposed Tinyproxy service online, susceptible to a critical unremedied security vulnerability within the HTTP/HTTPS proxy utility.
The identified flaw, denoted as CVE-2023-49606, holds a CVSS score of 9.8 out of 10, as per Cisco Talos, characterizing it as a utilization-after-void defect affecting versions 1.10.0 and 1.11.1, the most recent iteration.
Per an advisory from Talos last week, “A specifically devised HTTP header can instigate the reuse of previously released memory, prompting memory distortion and potentially facilitating remote code execution,” elucidating the nature of the flaw.
Put differently, an unauthenticated malicious entity could dispatch a specifically tailored HTTP Connection header to initiate memory distortion, thereby culminating in remote code execution.
According to data disclosed by Censys, a company specializing in managing attack surfaces, out of the 90,310 systems exposing a Tinyproxy service to the open internet as of May 3, 2024, approximately 52,000 (approximately 57%) are operating on a vulnerable Tinyproxy version.
The majority of the publicly-accessible systems are situated in the United States (32,846), South Korea (18,358), China (7,808), France (5,208), and Germany (3,680).
Talos, who first reported the issue on December 22, 2023, has also furnished a proof-of-concept (PoC) for the vulnerability, illustrating how the problem with parsing HTTP Connection connections could be exploited to induce a crash and, in certain instances, code execution.
The custodians of Tinyproxy, through a series of commits enacted over the weekend, have called out Talos for submitting the report to an ostensibly “antiquated email address,” noting that they were apprised by a Debian Tinyproxy package custodian on May 5, 2024.
“Neither a GitHub issue was lodged nor did anyone mention a vulnerability in the referenced IRC chat,” as expressed in a commit by rofl0r. “Had the issue been reported on GitHub or IRC, the bug would have been rectified within a day.”
Users are strongly urged to promptly update to the latest version upon its availability. Furthermore, it is advisable to refrain from exposing the Tinyproxy service to the public internet.
