May 7, 2024 at 01:13PM
Nearly 52,000 vulnerable Tinyproxy instances exposed to CVE-2023-49606, a critical remote code execution flaw. Cisco Talos disclosed the use-after-free vulnerability in December 2023, affecting versions 1.11.1 and 1.10.0. After receiving no response from developers, Cisco reported detailed information and proof-of-concept exploits. On Sunday, Tinyproxy released a fix to prevent exploitation, disputing Cisco’s disclosure method.
It appears that nearly 52,000 internet-exposed Tinyproxy instances are vulnerable to CVE-2023-49606, a critical remote code execution flaw. The vulnerability was disclosed by Cisco Talos at the beginning of the month, and detailed information about the flaw, including proof-of-concept exploits, was shared. Despite efforts to alert Tinyproxy’s developers, no patch was initially available.
Censys reported that about 57% of the 90,000 internet-exposed Tinyproxy services were vulnerable, with most instances located in the United States, South Korea, China, France, and Germany.
A fix for the vulnerability was released five days after it was disclosed by Cisco, with the Tinyproxy maintainers disputing the proper disclosure of the bug. The security fix is contained in the upcoming version 1.11.2, and urgent users can pull the change from the master branch or manually apply the fix. The developers noted that the vulnerability might not affect all setups, especially those within controlled environments or those using basic authentication with secure passwords.