Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

Over 52,000 out of 90,310 hosts with Tinyproxy services are vulnerable to a severe security flaw CVE-2023-49606, which exposes them to potential remote code execution. This vulnerability, with a CVSS score of 9.8 out of 10, affects Tinyproxy versions 1.10.0 and 1.11.1. The vulnerability arises from a use-after-free bug triggered by a specially crafted HTTP Connection header. This header manipulation can lead to memory corruption, potentially exploited by an unauthenticated attacker.

Cisco Talos, which identified the flaw, released an advisory describing the issue's technical details, including how an attacker could exploit it with an unauthenticated HTTP request. Talos also provided a proof-of-concept demonstrating how the flaw could be weaponized to trigger a crash or execute malicious code.

Security Officer Comments:
Data from attack surface management company Censys reveals that approximately 57% of the exposed Tinyproxy hosts are running vulnerable versions. These hosts are distributed across various countries, with significant numbers in the United States, South Korea, China, France, and Germany.

Despite the severity of the flaw, communication challenges delayed its resolution. Talos reported the issue in December 2023, but the Tinyproxy maintainers were only informed about it in May 2024 due to communication issues, including an outdated email address. The maintainers mentioned that if the issue had been reported through GitHub or IRC channels, they would have addressed it promptly.

Suggested Corrections:
To mitigate the risk, users are strongly advised to update Tinyproxy to the latest patched version and ensure that the service is not exposed to the public internet, reducing the potential attack surface.