May 8, 2024 at 12:44PM
A use-after-free flaw in the open-source Tinyproxy (versions 1.11.1 and 1.10.0) allows attackers to trigger memory corruption, potentially leading to denial-of-service (DoS) and remote code execution (RCE) via a specially crafted HTTP Connection header. The flaw is rated 9.8 out of 10 in severity. While no known exploitation exists, more than 57% of 90,000 exposed hosts are vulnerable. Mitigation includes updating and securing access to Tinyproxy.
From the meeting notes, here are the key takeaways:
– A critical use-after-free flaw, tracked as CVE-2023-49606, has been identified in Tinyproxy versions 1.11.1 and 1.10.0.
– This flaw allows attackers to exploit the server, potentially causing denial-of-service (DoS) and remote code execution (RCE) attacks.
– The flaw has been rated 9.8 out of 10 on the CVSS vulnerability-severity scale.
– While there is no known active exploitation of the flaw, over 90,000 hosts are found to be exposing a Tinyproxy service, with more than 57% being potentially vulnerable.
– The network with the greatest concentration of Tinyproxy servers is AMAZON-02 from Amazon Web Services.
– A proof-of-concept exploit for the flaw has been published by Cisco Talos, but its effectiveness is disputed by the maintainer of the Tinyproxy project.
– The maintainer has released an update to fix the vulnerability, and Cisco Talos has provided guidelines for mitigating the risk.
– Mitigation actions include installing the update provided on GitHub, using basic authentication with a secure password, and ensuring that the Tinyproxy service is not exposed to the public Internet.
These takeaways highlight the urgency of addressing the identified vulnerability in Tinyproxy versions 1.11.1 and 1.10.0 to mitigate the risk of potential exploitation and associated security threats. It is recommended to promptly communicate this information to relevant stakeholders and initiate the necessary actions to secure the affected systems.