Vulnerability Management, Threat Intelligence, Patch/Configuration Management

Widespread RCE compromise likely with critical TinyProxy bug

Hacker attack computer hardware microchip while process data through internet network

Fifty-seven percent of more than 90,000 internet-exposed hosts continue to run TinyProxy instances unpatched against the critical use-after-free vulnerability, tracked as CVE-2023-49606, which could be leveraged to facilitate remote code execution attacks via an unauthenticated HTTP request, reports The Hacker News.

The U.S. accounted for the most number of vulnerable internet-exposed hosts, followed by South Korea, China, France, and Germany, according to a report from Cisco Talos, which also unveiled a proof-of-concept for the security issue that tackled the possible weaponization of HTTP Connection parsing for code execution.

Meanwhile, such an issue was noted by TinyProxy maintainers to have persisted as Cisco Talos may have sent communications to an outdated email address.

"No GitHub issue was filed, and nobody mentioned a vulnerability on the mentioned IRC chat. If the issue had been reported on Github or IRC, the bug would have been fixed within a day," said TinyProxy maintainer rofl0r.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.