More than 50% of the 90,310 hosts have been found exposing a Tinyproxy service on the internet that’s vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool.
The issue, tracked as CVE-2023-49606, carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, which is the latest version.
“A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution,” Talos said in an advisory last week. “An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.”
In other words, an unauthenticated threat actor could send a specially crafted HTTP Connection header to trigger memory corruption that can result in remote code execution.
According to data shared by attack surface management company Censys, of the 90,310 hosts exposing a Tinyproxy service to the public internet as of May 3, 2024, 52,000 (~57%) of them are running a vulnerable version of Tinyproxy.
A majority of the publicly-accessible hosts are located in the U.S. (32,846), South Korea (18,358), China (7,808), France (5,208), and Germany (3,680).
Talos, which reported the issue to December 22, 2023, has also released a proof-of-concept (PoC) for the flaw, describing how the issue with parsing HTTP Connection connections could be weaponized to trigger a crash and, in some cases, code execution.
The maintainers of Tinyproxy, in a set of commits made over the weekend, called out Talos for sending the report to a likely “outdated email address,” adding they were made aware by a Debian Tinyproxy package maintainer on May 5, 2024.
“No GitHub issue was filed, and nobody mentioned a vulnerability on the mentioned IRC chat,” rofl0r said in a commit. “If the issue had been reported on Github or IRC, the bug would have been fixed within a day.”
Users are advised to update to the latest version as and when they become available. It’s also recommended that the Tinyproxy service is not exposed to the public internet.