Analysis Summary

It has been discovered that over half of the 90,310 hosts are using a Tinyproxy service that is online and susceptible to a serious security vulnerability in the HTTP/HTTPS proxy utility that is not yet patched.

The security flaw, identified as CVE-2023-49606, has a CVSS score of 9.8 out of 10, according to Cisco Talos. The company stated that the vulnerability affects versions 1.10.0 and 1.11.1, which is the most recent version. Memory corruption and remote code execution can result from the reuse of previously released memory, which can be caused by a specially constructed HTTP header. This vulnerability must be activated by an attacker using an unauthenticated HTTP request.

In other words, memory corruption that might lead to remote code execution could be caused by an unauthenticated threat actor sending a specially constructed HTTP Connection header. 52,000 (or roughly 57%) of the 90,310 hosts that were exposing a Tinyproxy service to the public internet as of May 3, 2024, were running a vulnerable version of Tinyproxy. Most of the hosts that are available to the public are in the United States (32,846), South Korea (18,358), China (7,808), France (5,208), and Germany (3,680).

The proof-of-concept (PoC) for the vulnerability, which illustrates how the problem with processing HTTP Connection connections may be weaponized to cause a crash and, in some situations, code execution, was also made public by Talos. In a series of revisions over the weekend, the Tinyproxy package maintainers criticized Talos for sending the report to what they believed to be an out-of-date email address. They also noted that they were informed of this on May 5, 2024, by a Debian Tinyproxy package maintainer.

According to the developer, no GitHub issue was reported and no one brought up a vulnerability in the IRC chat, further claiming that the bug would have been resolved in a day if it had been posted on GitHub or IRC. It is recommended that users update to the most recent version as soon as it is made available. Additionally, it is advised that the Tinyproxy service be kept off of the public internet.

Impact

• Code Execution
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2023-49606

Affected Vendors

Remediation

• Refer to the Tinyproxy GitHub Page for patch, upgrade, or suggested workaround information.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.