Critical Vulnerability in Tinyproxy Leaves More than 50K Hosts Exposed

Critical Flaw in Tinyproxy Exposes Thousands of Hosts to Risk

More than half of the 90,310 hosts worldwide are found to be exposing a vulnerable Tinyproxy service on the internet, susceptible to a critical unpatched security flaw in the HTTP/HTTPS proxy tool.

Tracked as CVE-2023-49606, the issue carries a severity score of 9.8 out of 10 and affects versions 1.10.0 and 1.11.1 of Tinyproxy. Cisco Talos, which identified the bug, described it as a use-after-free vulnerability triggered by a specially crafted HTTP header, potentially leading to remote code execution.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

According to data from attack surface management company Censys, approximately 57% of the exposed hosts are running versions of Tinyproxy vulnerable to the flaw. The majority of these hosts are located in the United States, South Korea, China, France, and Germany.

Talos, which reported the issue in December 2023, has released a proof-of-concept demonstrating how the vulnerability could be exploited. Despite efforts to notify the maintainers, the response has been delayed, with fixes only initiated after a Debian Tinyproxy package maintainer raised the alarm.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link