TLDR:
- Over 50,000 hosts are vulnerable to remote code execution due to a critical flaw in Tinyproxy.
- The flaw, tracked as CVE-2023-49606, affects versions 1.10.0 and 1.11.1.
In a recent advisory, Cisco Talos warned that more than half of the 90,310 hosts exposing a Tinyproxy service on the internet are susceptible to a critical unpatched security flaw. This vulnerability, known as CVE-2023-49606, has a high CVSS score of 9.8 and impacts versions 1.10.0 and 1.11.1 of Tinyproxy. It involves a use-after-free bug that can be triggered by a specially crafted HTTP header, potentially leading to remote code execution. As of May 3, 2024, data from Censys reveals that 57% of these exposed hosts are running a vulnerable version of Tinyproxy.
The issue with parsing HTTP connection headers could allow an unauthenticated attacker to crash the system or execute malicious code. Despite Talos reporting the flaw in December 2023, the Tinyproxy maintainers were only made aware of it in May 2024. They have since released updates, and users are advised to install them promptly. Additionally, it is recommended that the Tinyproxy service is not exposed to the public internet to minimize the risk of exploitation.
Overall, this critical Tinyproxy flaw highlights the importance of prompt vulnerability disclosure and patching to mitigate the risk of remote code execution on vulnerable hosts.