Tinyproxy HTTP Connection Headers Parsing Vulnerability Could Lead to Remote Code Execution
CVE-2023-49606

9.8CRITICAL

Key Information:

Vendor

Tinyproxy

Status
Tinyproxy
Vendor
CVE Published:
1 May 2024

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 3,540πŸ‘Ύ Exploit Exists🟣 EPSS 63%πŸ“° News Worthy

What is CVE-2023-49606?

CVE-2023-49606 is a critical vulnerability found in Tinyproxy, a lightweight HTTP/HTTPS proxy designed to provide users with increased privacy and security. This specific vulnerability relates to the parsing of HTTP Connection Headers, allowing for a use-after-free condition. This weakness can potentially lead to remote code execution, posing a serious risk for organizations that rely on Tinyproxy for secure web traffic management. If exploited, it could result in unauthorized control over systems, leading to significant disruption and data exposure.

Technical Details

The vulnerability exists in Tinyproxy versions 1.11.1 and 1.10.0. It is triggered by sending a specially crafted HTTP header to the proxy, which causes the reuse of memory that has already been freed. This situation leads to memory corruption, creating conditions that could be manipulated by an attacker to execute arbitrary code in the context of the Tinyproxy process. Importantly, this exploitation can be initiated via unauthenticated HTTP requests, making it particularly dangerous as attackers do not need prior access to the system.

Impact of the Vulnerability

  1. Remote Code Execution: The primary risk posed by CVE-2023-49606 is the potential for remote code execution. If exploited, attackers could run arbitrary code on the affected server, leading to full system compromise.

  2. Data Breaches: Successful exploitation could allow unauthorized access to sensitive data passing through the proxy server. This could result in significant data breaches and exposure of confidential information.

  3. Compromised Network Integrity: As Tinyproxy is used to facilitate web traffic for various applications, a successful attack could compromise the integrity of the network, enabling further attacks on internal systems and services.

Affected Version(s)

Tinyproxy 1.11.1

Tinyproxy Tinyproxy 1.10.0

News Articles

Critical Bug Could Open 50K+ Tinyproxy Servers to DoS, RCE

Patch now: CVE-2023-49606 in the open source, small-footprint proxy server can potentially lead to remote code execution.

favicon imagewww.firescalaf.cat

Most Tinyproxy instances are potentially vulnerable to CVE-2023-49606

Cisco Talos researchers reported a security vulnerability related to the use of HTTP connection headers in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. The issue is

favicon imageSecurity Affairs

Most Tinyproxy Instances are potentially vulnerable to flaw CVE-2023-49606

A critical Remote Code Execution vulnerability in the Tinyproxy service potentially impacted 50,000 Internet-Exposing hosts.

References

https://talosintelligence.com/vulnerability_reports/TALOS...
http://www.openwall.com/lists/oss-security/2024/05/07/1

EPSS Score

63% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by GBHackers on Security

  • Vulnerability published

  • Vulnerability Reserved

Credit

Discovered by Dimitrios Tatsis of Cisco Talos.
.