Security flaw in popular proxy service leaves 50,000 hosts vulnerable

Flaw in Tinyproxy service could allow for remote code execution

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

More than half of Tinyproxy service hosts are running a flawed version which hackers could use in remote code execution attacks, a new report from researchers from Cisco Talos has claimed.

Tinyproxy is a lightweight HTTP/HTTPSproxy servercommonly used to improve internet access speed by caching frequently accessed web pages, filtering out unwanted content, and providing anonymity.

The tool is often used in home networks, small businesses, or on personal servers.

Thousands of vulnerable endpoints

In its findings, Cisco Talos said Tinyproxy version 1.10.0 and 1.11.1 were vulnerable to CVE-2023-49606, a use-after-free bug with a severity score of 9.8.

“A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution,” the researchers explained in theirreport. “An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.”

Citing data from attack surface management expert Censys,TheHackerNewsreported that of the 90,310 hosts exposing a Tinyproxy service to the public internet, 57% - 52,000 - were running a vulnerable version of the tool. Most are located in the U.S. (32,846), followed by South Korea (18,358), China (7,808), France (5,208), and Germany (3,608).

In the days immediately following Talos’ report, Tinyproxy maintainers made a few commits, criticizing the researchers from trying to reach out via an “outdated email address”. They added that a Debian Tinyproxy package maintainer tipped them off on Sunday.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“No GitHub issue was filed, and nobody mentioned a vulnerability on the mentioned IRC chat,” rofl0r said in a commit. “If the issue had been reported on Github or IRC, the bug would have been fixed within a day.”

Users are advised to apply the patch, as soon as it becomes available.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Anker Nebula Mars 3 review: A powerful and truly portable projector