More than half of Tinyproxy service hosts are running a flawed version which hackers could use in remote code execution attacks, a new report from researchers from Cisco Talos has claimed.
Tinyproxy is a lightweight HTTP/HTTPS proxy server commonly used to improve internet access speed by caching frequently accessed web pages, filtering out unwanted content, and providing anonymity.
The tool is often used in home networks, small businesses, or on personal servers.
Thousands of vulnerable endpoints
In its findings, Cisco Talos said Tinyproxy version 1.10.0 and 1.11.1 were vulnerable to CVE-2023-49606, a use-after-free bug with a severity score of 9.8.
“A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution,” the researchers explained in their report. “An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.”
Citing data from attack surface management expert Censys, TheHackerNews reported that of the 90,310 hosts exposing a Tinyproxy service to the public internet, 57% – 52,000 – were running a vulnerable version of the tool. Most are located in the U.S. (32,846), followed by South Korea (18,358), China (7,808), France (5,208), and Germany (3,608).
In the days immediately following Talos’ report, Tinyproxy maintainers made a few commits, criticizing the researchers from trying to reach out via an “outdated email address”. They added that a Debian Tinyproxy package maintainer tipped them off on Sunday.
“No GitHub issue was filed, and nobody mentioned a vulnerability on the mentioned IRC chat,” rofl0r said in a commit. “If the issue had been reported on Github or IRC, the bug would have been fixed within a day.”
Users are advised to apply the patch, as soon as it becomes available.