{"id":162866,"date":"2024-05-08T09:19:52","date_gmt":"2024-05-08T09:19:52","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=162866"},"modified":"2024-05-08T09:39:37","modified_gmt":"2024-05-08T09:39:37","slug":"tinyproxy-rce","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/162866\/hacking\/tinyproxy-rce.html","title":{"rendered":"Most Tinyproxy Instances are potentially vulnerable to flaw CVE-2023-49606"},"content":{"rendered":"
<\/div>\n

A critical Remote Code Execution vulnerability in the Tinyproxy service potentially impacted 50,000 Internet-Exposing hosts.<\/h2>\n\n\n\n

Researchers from Cisco Talos reported a use-after-free vulnerability in the HTTP Connection Headers parsing of Tinyproxy 1.11.1 and Tinyproxy 1.10.0. The issue is tracked as CVE-2023-49606<\/a><\/strong> and received a CVSS score of 9.8. The exploitation of the issue can potentially lead to remote code execution.<\/gwmw><\/p>\n\n\n\n

“A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.” reads the advisory<\/a>.<\/em><\/gwmw><\/p>\n\n\n\n

Tinyproxy is an open-source HTTP proxy daemon designed for simplicity and efficiency. <\/gwmw><\/p>\n\n\n\n

The vulnerability impacts over 90,000 hosts that expose a Tinyproxy service<\/a> on the internet. Talos researchers published a proof-of-concept exploit code for this vulnerability.<\/p>\n\n\n\n

“As of May 3, 2024, Censys observed over 90,000 hosts exposing a Tinyproxy service, ~57% of which are potentially vulnerable to this exploit.” reads the report<\/a>. <\/em><\/p>\n\n\n\n

Most of the exposed hosts are in the United States, followed by South Korea and China.<\/p>\n\n\n\n

Country<\/strong><\/td>Host Count<\/strong><\/td>Percentage<\/strong><\/td><\/tr>
United States<\/td>32846<\/td>36.37%<\/td><\/tr>
South Korea<\/td>18358<\/td>20.33%<\/td><\/tr>
China<\/td>7808<\/td>8.65%<\/td><\/tr>
France<\/td>5208<\/td>5.77%<\/td><\/tr>
Germany<\/td>3680<\/td>4.07%<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Maintainers of the project temporarily addressed<\/a> the issue with the release of version 1.11.1. tinyproxy 1.11.2 release will definitively fix the issue.<\/p>\n\n\n\n