A significant unpatched vulnerability in the HTTP/HTTPS proxy tool exposes more than 50,000 Tinyproxy service hosts on the internet. Tracked as CVE-2023-49606, the vulnerability has a critical severity rating with a CVSS score of 9.8.
This is a use-after-free vulnerability in the HTTP Connection Headers parsing in Tinyproxy. A specially crafted HTTP header can trigger the reuse of previously freed memory, which may lead to memory corruption and could lead to remote code execution. Successful exploitation of the vulnerability may result in memory corruption and lead to remote code execution.
Tinyproxy is an HTTP/HTTPS proxy daemon for POSIX operating systems. Designed from the ground up to be fast and small, it is an ideal solution for use cases such as embedded deployments where a full-featured HTTP proxy is required, but the system resources for a more significant proxy are unavailable.
Affected Versions
- Tinyproxy version 1.11.1
- Tinyproxy version 1.10.0
Mitigation
No patches have been released to address the vulnerability.
Please refer to the Talos Security Advisory (TALOS-2023-1889) for more information.
Qualys Detection
Qualys customers can scan their devices with QID 731510 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889