CVE-2023-49606 (CVSS 9.8): Tinyproxy Zero-Day Threatens Thousands

A critical flaw has been uncovered in Tinyproxy, a lightweight HTTP/S proxy favored by individual hobbyists, small businesses, and public Wi-Fi providers for its simplicity and effectiveness. The vulnerability, identified as CVE-2023-49606, poses a severe threat to users of the software’s most recent versions, with a Common Vulnerability Scoring System (CVSS) rating of 9.8, categorizing it as critical.


Details of the Vulnerability

CVE-2023-49606 is a use-after-free vulnerability discovered by Dimitrios Tatsis of Cisco Talos. This flaw exists in the way Tinyproxy versions 1.11.1 and 1.10.0 parse HTTP Connection Headers. A seemingly trivial bug in the handling of these headers can be exploited to cause a system crash or, in more severe cases, a denial of service (DoS). While remote code execution (RCE) is theoretically possible, it would require highly specific circumstances to occur, making it less likely but still a concerning possibility.

Potential Consequences of the Exploit

If successfully exploited, CVE-2023-49606 could allow an unauthenticated attacker to send a specially crafted HTTP header to trigger memory corruption on the server. This vulnerability is particularly dangerous for smaller networks where a proxy server plays a critical role in network functionality and security. Disruption of the proxy server could lead to significant data loss and service interruptions. Additionally, the simplicity of the exploit means that the barrier to execution is low, increasing the risk of potential attacks.

Widespread Exposure and Risks

According to Censys, as of May 3, 2024, there are 90,310 hosts publicly exposing Tinyproxy services, with a significant number located in the United States and South Korea. Alarmingly, approximately 57% of these exposed hosts are running the vulnerable versions 1.11.1 or 1.10.0. The largest concentration of these servers is on the AMAZON-02 network, often used by smaller entities that might not have robust security measures in place.

Recommendations for Remediation

Given the absence of an official patch from Tinyproxy’s maintainers, the immediate recommendation is to ensure that Tinyproxy services are not exposed to the public internet, especially in environments used for development or testing. Users should consider employing alternative proxy solutions that receive regular security updates and support, or at least ensure that access to Tinyproxy is limited to internal network use until a patch becomes available.