An open-source proxy server, Tinyproxy, which is predominantly used in small networks, has been found to have a critical flaw that could potentially lead to denial-of-service (DoS) attacks and remote code execution (RCE). The flaw, known as CVE-2023-49606, affects Tinyproxy versions 1.11.1 and 1.10.0, allowing attackers to exploit a use-after-free vulnerability by sending a specially crafted HTTP Connection header. This flaw has been rated 9.8 out of 10 on the CVSS vulnerability-severity scale.
Despite being designed for small networks, Tinyproxy is used by a wide range of users including small businesses, public Wi-Fi providers, home users, and even enterprises for testing and development purposes. The potential consequences of compromising a proxy server are severe, ranging from data breaches to service disruptions.
While there haven’t been any reported instances of active exploitation of the flaw yet, a significant number of Tinyproxy instances, estimated to be over 90,000 hosts, are currently exposed to the vulnerability. The largest concentration of these vulnerable servers is found in AMAZON-02 from Amazon Web Services, indicating that individual users are at a higher risk.
In response to the flaw, Cisco Talos published a proof-of-concept exploit on May 1, showcasing how a simple HTTP request could trigger CVE-2023-49606. However, the maintainer of Tinyproxy, known as “rofl0r,” criticized Talos’ description of the flaw, calling it “useless details.” Instead, rofl0r provided an update to fix the vulnerability and highlighted the severity of the flaw.
The flaw in Tinyproxy stems from outdated code written in 2002, which fails to properly handle the removal of certain headers in HTTP requests, leading to memory corruption. This flaw could enable DoS attacks and potentially allow for RCE, posing a significant threat to vulnerable servers.
To mitigate the risk posed by CVE-2023-49606, administrators are advised to update Tinyproxy with the fix provided by the maintainer. Additionally, implementing basic authentication with secure passwords and restricting access to the proxy server within trusted networks can enhance security and prevent exploitation by external attackers.
In conclusion, the discovery of this critical flaw in Tinyproxy underscores the importance of timely updates and robust security measures to protect against potential cyber threats. By addressing vulnerabilities promptly and following best practices for server security, users can safeguard their networks and prevent unauthorized access to sensitive data.