February 9, 2025

Round 50,000 situations of an open supply proxy server used for small networks are uncovered to denial-of-service (DoS) assaults and even probably distant code execution (RCE), by way of a flaw that may be exploited by an HTTP request.

A use-after-free flaw tracked as CVE-2023-49606 is current in Tinyproxy variations 1.11.1 and 1.10.0; it permits attackers to ship a easy, specifically crafted HTTP Connection header to set off reminiscence corruption that may trigger DoS, based on a recent advisory by threat-hunting platform supplier Censys. Additional, a extra complicated assault can also enable for RCE assaults. The flaw garners a essential ranking of 9.8 out of 10 on the CVSS vulnerability-severity scale.

Tinyproxy is a light-weight, open supply HTTP/S proxy for Unix-like working programs that is designed to be used in small networks, so most of its customers are prone to be small companies, public Wi-Fi suppliers, and residential customers, based on Censys. Nevertheless, it is also utilized by enterprises for testing or growth, so attackers can compromise these situations of the server as effectively.

“Regardless of its design for smaller networks, compromising a proxy server can have severe penalties similar to knowledge breaches and repair disruptions,” based on the advisory.

Although there’s as but no recognized energetic exploitation of the flaw, an Web search carried out by Censys confirmed that as of Could 3, there are greater than 90,000 hosts exposing a Tinyproxy service. Of these, greater than 57% are probably susceptible to the exploit, based on the advisory.

The community with the best focus of Tinyproxy servers is AMAZON-02 from Amazon Net Companies, “which is sensible on condition that this software program is probably going utilized by smaller, particular person customers,” based on Censys. 

Public Exploit Obtainable — however Does It Work?

Cisco Talos on Could 1 printed proof-of-concept exploit for the flaw, saying that it demonstrates how a easy HTTP request can set off CVE-2023-49606. However a post on GitHub by the maintainer of the Tinyproxy challenge — who goes by the web title “rofl0r” — referred to as Cisco Talos’ description of the flaw and the way it’s exploited “ineffective particulars” that do not concentrate on the precise bug or paint a real depiction of easy methods to exploit it.

The maintainer goes on within the submit to explain the flaw, deemed as “nasty,” and features a hyperlink to an update that Tinyproxy’s maintainer stated fixes the vulnerability.

Cisco Talos didn’t instantly reply to request for remark Wednesday on the claims made by rofl0r that refute its researchers’ evaluation of the flaw and its exploit.

Breaking Down the Tinyproxy Bug

The flaw resides in code to take away the “connection” and “proxy-connection” headers from the record of headers obtained within the src/reqs.c, remove_connection_headers() request in Tinyproxy, based on rofl0r’s GitHub submit.

The affected code was written in 2002 and was by no means up to date, based on rofl0f, and it triggers the next chain of occasions: The worth of both “connection” or “proxy-connection” is retrieved from the key-value (KV) retailer, it’s break up up in items utilizing plenty of potential delimiters, and each bit is faraway from the KV retailer.

“The bug is that if a type of items is both ‘connection’ or ‘proxy-connection’ (case-insensitive) and the identical as the important thing used earlier to retrieve the worth,” the maintainer defined. “It will likely be deleted (freed) from the [KV] retailer, however the code continues accessing the worth pointer it retrieved earlier.”

The bug “actually permits” a DoS assault on the server if it “is both utilizing musl libc 1.2+ – whose hardened reminiscence allocator routinely detects UAF, or constructed with an handle sanitizer,” based on the submit. It additionally “can certainly” probably result in RCE.

Publicity & Mitigation for CVE-2023-49606

Whereas Cisco Talos claims that an attacker could make a easy unauthenticated HTTP request to set off the vulnerability, rofl0r refuted that declare, noting that the code is “solely triggered after entry record checks and authentication have succeeded.”

Which means that if a Tinyproxy administrator makes use of fundamental authentication with a fairly safe password, they’re protected in opposition to compromise. Moreover, if the proxy is offered solely on a trusted non-public community, similar to inside a company atmosphere, it may well’t be exploited by exterior attackers, based on rofl0r.

Along with putting in the replace supplied on GitHub, Tinyproxy directors can also keep away from potential compromise by guaranteeing {that a} Tinyproxy service just isn’t uncovered to the general public Web, notably if it is in use in a growth or testing atmosphere, based on Cisco Talos.