Executive Summary:
On May 1, 2024, Cisco Talos published a Proof of Concept (PoC) for CVE-2023-49606, a use-after-free vulnerability in Tinyproxy versions 1.11.1 and 1.10.0, the former of which is the latest software release. A use-after-free vulnerability is a software bug that can be triggered if a chunk of memory is allocated, de-allocated, and subsequently referenced or used elsewhere.
Affected Products: Tinyproxy is an open-source HTTP/S proxy for UNIX-like operating systems. It’s lightweight and designed for use in small networks: think individual users and small businesses who want basic proxy functionality. However, enterprise organizations who use this in a testing or development capacity should ensure they’re not exposing the service to the public internet.
Impact: An unauthenticated threat actor can send a simple, specially crafted HTTP Connection header to trigger memory corruption that can cause a denial-of-service (DoS). Under the right circumstances, this could also potentially lead to remote code execution. Despite its design for smaller networks, compromising a proxy server can have serious consequences such as data breaches and service disruptions.
Patch Availability: Talos reports that the maintainers of Tinyproxy have not responded, so no patch is available.
Exploitation Status: Security researcher Dimitrios Tatsis from Cisco Talos identified this vulnerability. The PoC in the original vulnerability report demonstrates the simplicity of the exploit to potentially cause a DoS, although achieving RCE would be more challenging. No active exploitation is currently known.
Censys’s Perspective: As of May 3, 2024, Censys observed over 90,000 hosts exposing a Tinyproxy service, ~57% of which are potentially vulnerable to this exploit
Detection:
Censys Search query for exposed Tinyproxy: services.software: (vendor=”Tinyproxy Project” and product=”Tinyproxy”) and not labels=`tarpit`
Censys ASM customers can use the following risk to look for exposed vulnerable Tinyproxy instances in their network: risks.name=”Vulnerable Tinyproxy [CVE-2023-49606]”. Relevant devices will be associated with your organization’s ASM workspace within approximately 24 hours.
Background
On May 1, 2024, Cisco Talos published a vulnerability report about CVE-2023-49606, a use-after-free vulnerability that exists in Tinyproxy versions 1.11.1 and 1.10.0, the most recent releases, with a critical CVSS score of 9.8. The vulnerability is leveraged through the way HTTP Connection Headers are parsed.
Tinyproxy is an open-source HTTP/S proxy tailored for UNIX-like operating systems known for its lightweight design. It’s intended for use in small networks without the need or resources to implement a full-featured proxy server.
As stated in their documentation:
“If you are sharing an Internet connection with a small network, and you only want to allow HTTP requests to be allowed, then Tinyproxy is a great tool for the network administrator.”
It’s probably most commonly used by individual hobbyists and home users, small businesses, or public Wi-Fi providers who want basic proxy functionality.
The discovery of this vulnerability is credited to security researcher Dimitrios Tatsis of Cisco Talos. The PoC showcases how a trivial bug in the HTTP Connection Header handling can be exploited to cause a system crash and potentially a DoS, but achieving RCE beyond this would require very specific circumstances to be in place. There is no known active exploitation at this time.
Unfortunately the vulnerability remains unpatched. At the time of writing, the most recent commits to the tinyproxy GitHub project were 2 days ago and 6 months ago, respectively, indicating that it may not be very actively maintained.
Potential Consequences of Successful Exploitation: By sending one specially crafted HTTP header, a threat actor could trigger a crash due to memory corruption on the proxy server. Since Tinyproxy is primarily designed for use on smaller networks, the potential risks associated with this vulnerability are somewhat reduced compared to if it were a more full-featured proxy server. However, even within smaller networks, disrupting a proxy server could lead to data loss and other service disruptions. It’s also worth noting that smaller networks often have limited resources to implement more robust security measures.
Censys’s Perspective
As of Friday, May 3, 2024, Censys observed 90,310 hosts exposing a Tinyproxy service to the public internet. Of these, many are concentrated in the United States and South Korea.
Map of Censys-Visible Hosts Exposing Tinyproxy on the Public Internet as of May 3, 2024
| Country |
Host Count |
Percentage |
| United States |
32846 |
36.37% |
| South Korea |
18358 |
20.33% |
| China |
7808 |
8.65% |
| France |
5208 |
5.77% |
| Germany |
3680 |
4.07% |
Top 5 Countries with Hosts Exposing Tinyproxy
Of these, nearly 52,000, or approximately 57%, of all exposed hosts appear to be potentially vulnerable to these bugs, running versions 1.11.1 or 1.10.0.
| Version |
Host Count |
Percentage |
| 1.11.1 |
40746 |
45.09% |
| 1.8.4 |
11645 |
12.89% |
| 1.10.0 |
11207 |
12.40% |
| 1.8.3 |
11036 |
12.21% |
| 1.8.2 |
7753 |
8.58% |
Top 5 Versions of Exposed Tinyproxy Software Observed
The network with the greatest concentration of Tinyproxy servers is AMAZON-02, or AWS, which makes sense given that this software is likely used by smaller, individual users.
Recommendations for Remediation
It’s recommended to ensure that you’re not exposing a Tinyproxy service to the public internet, particularly if it’s in use in a development or testing environment.
References:
