Tinyproxy Vulnerability: How a Broken Communication Channel Exposed 50,000 Servers

More than 50% of the 90,310 servers using the Tinyproxy proxy tool are vulnerable due to a critical flaw identified as CVE-2023-49606, which received a severity score of 9.8 out of 10 on the CVSS scale. This issue is classified as a “Use-After-Free” vulnerability affecting Tinyproxy versions 1.10.0 and 1.11.1.

According to a report by Cisco Talos experts, sending a specially crafted HTTP header can lead to the reuse of already freed memory, causing memory corruption. This, in turn, can result in remote code execution.

Data from Censys shows that as of May 3, 2024, about 57%—or 52,000—of the 90,310 servers with open access to Tinyproxy were running a vulnerable version. Most of these servers are located in the United States (32,846), South Korea (18,358), China (7,808), France (5,208), and Germany (3,680).

Disclosure and Communication Issues

Cisco Talos reported the vulnerability to Tinyproxy developers on December 22, 2023, and provided a proof-of-concept exploit demonstrating how the issue could be used to cause crashes and, in some cases, execute arbitrary code.

However, one of Tinyproxy’s lead developers, known as “rofl0r,” stated that the notification from Talos was sent to an outdated email address. As a result, the development team only became aware of the problem on May 5, after a Debian package maintainer reported it. In other words, the issue remained unresolved and servers were exposed to attacks for nearly six months. Moreover, rofl0r claimed that if the issue had been reported via GitHub or IRC, it would have been fixed within a day.

This situation created an unusual precedent that may prompt Talos experts to reconsider the effectiveness of their chosen communication methods with software developers.

Recommendations and Lessons Learned

In the meantime, Tinyproxy developers advise users to update to the latest version as soon as possible and recommend not leaving the service open to the public internet.

A similar situation occurred in early April with major hardware manufacturers Intel and Lenovo. Their software contained a vulnerability that had been fixed over six years ago, but the fix was not applied by third-party vendors because the issue had not been assigned a CVE identifier.

Proper, complete, and timely disclosure of vulnerabilities is crucial for cybersecurity and protecting users from potential threats. The Tinyproxy incident highlights the need to improve information-sharing processes between cybersecurity researchers and software developers to prevent similar situations in the future.