Almost 52,000 internet-exposed Tinyproxy situations are weak to CVE-2023-49606, a lately disclosed important distant code execution (RCE) flaw.
Tinyproxy is an open-source HTTP and HTTPS proxy server designed to be quick, small, and light-weight. It’s particularly tailor-made for UNIX-like working programs and is often used by small companies, public WiFi suppliers, and residential customers.
At the beginning of the month, Cisco Talos disclosed CVE-2023-49606, a important (CVSS v3: 9.8) use-after-free flaw the researchers found in December 2023, impacting variations 1.11.1 (newest) and 1.10.0, after claiming to not receiving a response from the builders.
Cisco’s report shared detailed details about the vulnerability, together with proof-of-concept exploits that crashed the server and will probably result in distant code execution.
Talos researchers defined within the report that the flaw happens within the ‘remove_connection_headers()’ operate, the place particular HTTP headers (Connection and Proxy-Connection) usually are not appropriately managed, resulting in reminiscence being freed after which incorrectly accessed once more.
This might be simply exploited with a easy malformed HTTP request (e.g., Connection: Connection) with out requiring authentication.
Cisco warned on the time that regardless of its efforts to alert Tinyproxy’s builders of the important flaw, it acquired no response, and no patch was out there for customers to obtain.
On Saturday, Censys reported seeing 90,000 internet-exposed Tinyproxy companies on-line, of which about 57% had been weak to CVE-2023-49606.
Particularly, Censys discovered 18,372 situations operating the weak model 1.11.1 and one other 1,390 operating on 1.10.0.
Most of those situations are situated in america (11,946), adopted by South Korea (3,732), China (675), France (300), and Germany (150).
Supply: Censys
Flaw mounted
On Sunday, 5 days after Cisco disclosed the bug, the maintainers of Tinyproxy launched a repair for CVE-2023-49606, which adjusts reminiscence administration as wanted to forestall exploitation.
Nevertheless, the Tinyproxy maintainer disputed that Cisco correctly disclosed the bug, stating they by no means acquired the report through the mission’s requested disclosure channels.
“A security researcher from TALOS intelligence found a use-after-free vulnerability in tinyproxy in december 2023, claiming to have contacted upstream and waited 6 months for publication,” famous the builders on GitHub
“Whatever he did to contact upstream, it wasn’t effective and not what was described on either the tinyproxy homepage nor in README.md.”
“He certainly didn’t try hard to find a responsive contact, and probably pulled a random email address out of git log and sent a mail there. The vulnerability was made public on may 01 2024, and it took a full 5 days until i was notified on IRC by a distro package maintainer.”
The commit (12a8484) containing the safety repair is within the upcoming model 1.11.2, however folks in pressing want can pull the change from the grasp department or manually apply the highlighted repair.
“This is a quite nasty bug, and could potentially lead to RCE – though i haven’t seen a working exploit yet,” continued the Tinyproxy maintainers.
“What it certainly allows is a DOS attack on the server if tinyproxy is either using musl libc 1.2+ – whose hardened memory allocator automatically detects UAF, or built with an address sanitizer.”
The builders additionally famous that the up to date code solely triggers after passing authentication and entry checklist checks, which means the vulnerability won’t have an effect on all setups, particularly these inside managed environments like company networks or these utilizing primary authentication with safe passwords.
