An open source proxy server known as Tinyproxy, which is commonly utilized in small networks, has recently been found to be vulnerable to denial-of-service (DoS) attacks and potentially remote code execution (RCE) due to a flaw that can be exploited through an HTTP request. This flaw, identified as CVE-2023-49606, affects Tinyproxy versions 1.11.1 and 1.10.0 and has been rated a critical 9.8 out of 10 on the CVSS vulnerability-severity scale.
According to a recent advisory by threat-hunting platform provider Censys, the use-after-free flaw in Tinyproxy allows attackers to exploit a simple, specially crafted HTTP Connection header to trigger memory corruption, leading to DoS. Additionally, a more complex attack leveraging the same flaw could result in RCE. Tinyproxy, being a lightweight HTTP/S proxy designed for Unix-like operating systems and commonly used in small networks, is popular among small businesses, public Wi-Fi providers, home users, and even enterprises for testing or development purposes.
Despite its intended use in smaller networks, compromising a proxy server like Tinyproxy can have severe consequences such as data breaches and service disruptions. While there have been no reported active exploits of the flaw yet, Censys discovered that over 90,000 hosts were exposing a Tinyproxy service as of May 3, with more than 57% of them being potentially vulnerable to the exploit.
The highest concentration of Tinyproxy servers was found in AMAZON-02 from Amazon Web Services, suggesting that individual users are more likely to use the software. Cisco Talos published a proof-of-concept exploit for the vulnerability on May 1, demonstrating how a simple HTTP request could trigger the flaw. However, the maintainer of the Tinyproxy project refuted some details of the exploit, calling them “useless” and providing an update that supposedly fixes the vulnerability.
The flaw in Tinyproxy stems from code related to removing specific headers from incoming requests, which hasn’t been updated since 2002. This flaw allows for potential DoS attacks and could potentially lead to RCE, especially on servers using certain memory allocation techniques. Mitigation for this vulnerability includes applying the provided update from the Tinyproxy project and ensuring that the service is not exposed to the public internet, particularly in development or testing environments.
In conclusion, the discovery of the vulnerability in Tinyproxy serves as a reminder of the importance of promptly addressing security flaws in widely used software to prevent potential exploitation and protect sensitive data. Administrators of Tinyproxy instances are advised to take necessary precautions to secure their servers and mitigate the risk of being targeted by malicious actors.