Nearly 52,000 instances of Tinyproxy, a popular open-source HTTP and HTTPS proxy server, are currently exposed to a severe security threat identified as CVE-2023-49606. This critical remote code execution (RCE) vulnerability affects primarily Tinyproxy services that are widely used by small businesses, public WiFi providers, and individual users who favor its efficiency and minimal resource usage on UNIX-like systems. As of May 2024, security analytics firm Censys has detected approximately 90,000 Tinyproxy instances actively running online. Alarmingly, about 57% of these instances, which translates to nearly 52,000 services, are vulnerable to this specific flaw.
The vulnerability stems from a critical use-after-free error discovered by Cisco Talos in December 2023, impacting the versions 1.11.1 (the latest) and 1.10.0 of Tinyproxy. The flaw was disclosed in May 2024 following what appears to have been inadequate communication between the researchers and the Tinyproxy developers. Talos’s findings revealed that the vulnerability occurs within the remove_connection_headers() function, where certain HTTP headers such as ‘Connection’ and ‘Proxy-Connection’ are not managed correctly. This mismanagement leads to scenarios where memory, once freed, is accessed again, thereby paving the way for potential exploitation. This vulnerability can be triggered by a simple malformed HTTP request without requiring any authentication, making it exceptionally dangerous as it could allow attackers to remotely execute code on the affected server.
Despite the severity of the flaw, there was a notable delay in communication and response. Cisco Talos attempted to alert the Tinyproxy developers about the vulnerability by sending details of their findings, including a proof of concept that demonstrated how the server could be crashed and potentially allow for remote code execution. However, the communication reportedly reached an outdated email address. The Tinyproxy maintainers later critiqued this approach, arguing that if the issue had been reported directly on GitHub or IRC, it would have been resolved within a day. They expressed frustration over the method of disclosure, suggesting that the channels used were not in accordance with those recommended on the Tinyproxy homepage or its README documentation.
Resolution came shortly after the vulnerability was made public, with the Tinyproxy maintainers releasing a security patch in the upcoming version 1.11.2. This patch adjusts how memory is managed to prevent exploitation. They advised users who needed an immediate fix to pull the latest master branch from Git or apply the patch manually to version 1.11.1. This proactive measure aims to shore up defenses, particularly in controlled environments such as corporate networks or setups that use basic authentication with secure passwords, where the vulnerability’s impact might be mitigated.
This incident highlights the critical need for effective communication channels between cybersecurity researchers and open-source software maintainers, as well as the importance of rapid response to security vulnerabilities in maintaining the integrity and security of internet-exposed services.