www.belgium.be Logo of the federal government

WARNING: CRITICAL VULNERABILITY IN TINYPROXY, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-65
Version: 
1.0
Affected software: 
Tinyproxy 1.11.1
Tinyproxy 1.10.0
Type: 
Denial-of-Service and potential for Remote Code Execution
CVE/CVSS: 

CVE-2023-49606 :CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889

Risks

Tinyproxy, the light-weight HTTP/HTTPS proxy daemon for POSIX operating systems is affected by a vulnerability that exposes it to Denial-of-Service (DoS) attacks and potentially also Remote Code Execution.
Currently there is no evidence of active exploitation. However Cisco Talos included a proof of concept when they disclosed the vulnerability and Censys reported around 51.000 observed hosts worldwide that are vulnerable.
 
This vulnerability can have a detrimental effect on the confidentiality, integrity, and availability of the system. Consequently, users are strongly advised to promptly update to the most recent version, which addresses this security issue. Which is version 1.11.2 at the time of writing.

Description

A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. According to Cisco Talos an attacker needs to make an unauthenticated HTTP request to trigger this vulnerability. 

Recommended Actions

Patch
 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable instances with a high priority, after thorough testing. 
The Centre for Cybersecurity Belgium strongly recommends not exposing your Tinyproxy instance to the public internet if it is not necessary. Also use authentication with a secure password and only allow specific trusted hosts if possible.
 
Monitor/Detect
 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References