CVE-2023-49606: Critical Tinyproxy Flaw Affects Over 50K Servers
Over 50% of the 90,310 servers utilizing the Tinyproxy proxy tool are vulnerable due to a critical flaw, designated CVE-2023-49606, which has been rated 9.8 out of a possible 10 on the CVSS scale. This error is classified as a “Use-After-Free” vulnerability in versions 1.10.0 and 1.11.1 of Tinyproxy.
According to a report by Cisco Talos, sending a specially crafted HTTP header can lead to the reuse of already freed memory, causing it to be corrupted, which in turn could lead to the execution of remote code.
Data from the company Censys shows that about 57% or 52,000 of the 90,310 servers with open access to Tinyproxy as of May 3, 2024, were running on a vulnerable version of the tool. The majority of these servers are located in the USA (32,846), South Korea (18,358), China (7,808), France (5,208), and Germany (3,680).
Cisco Talos informed the Tinyproxy developers about the vulnerability on December 22, 2023, and provided a PoC exploit demonstrating how this issue could be exploited to cause crashes and, in some cases, execute arbitrary code.
Nevertheless, one of the lead Tinyproxy developers, known as “rofl0r,” stated that Talos had sent the problem report to an outdated email address. As a result, the development team only became aware of the issue yesterday, May 5th, after it was reported by a developer maintaining the Tinyproxy package version for Debian.
In other words, the problem remained unresolved, and servers were vulnerable to attacks for nearly half a year. Moreover, rofl0r claimed that if the issue had been registered through GitHub or IRC, it could have been resolved within a day.
This situation has created an unusual precedent, which may cause Talos specialists to reconsider some inefficiencies in their chosen methods of communicating with software developers.
In the meantime, Tinyproxy developers advise users to update the tool version as soon as possible and recommend not leaving the service open to public internet access.
Proper, complete, and timely vulnerability disclosure is of utmost importance for ensuring cybersecurity and protecting users from potential threats.
The Tinyproxy vulnerability incident underscores the need for improved processes for information exchange between cybersecurity researchers and software developers to prevent similar situations in the future.