Here's a quick overview of what inefficient communication between researchers and developers can lead to.
More than 50% of 90,310 servers using the Tinyproxy proxy tool are vulnerable due to a critical bug designated CVE-2023-49606 and rated 9.8 out of 10 possible CVSS points. The bug is classified as a "Use-After-Free" vulnerability in Tinyproxy versions 1.10.0 and 1.11.1.
According to a report by Cisco Talos specialists, sending a specially generated HTTP header can lead to re-use of already released memory, causing it to become corrupted, which, in turn, can lead to remote code execution.
According to Censys, about 57% or 52,000 of the 90,310 servers with open access to Tinyproxy as of May 3, 2024, were running on a vulnerable version of the tool. Most of these servers are located in the United States (32,846), South Korea (18,358), China (7,808), France (5,208), and Germany (3,680).
Cisco Talos reported the vulnerability to Tinyproxy developers on December 22, 2023, and then provided a PoC exploit that demonstrates how this issue can be used to cause crashes and, in some cases, execute arbitrary code.
However, one of the leading developers of Tinyproxy under the nickname "rofl0r" said that the message about the problem was sent by Talos specialists to an irrelevant email address. In this regard, the development team became aware of the problem only yesterday, May 5, after it was reported by one of the developers who accompanies the version of the Tinyproxy package for Debian.
In other words, the problem remained unresolved, and the servers were vulnerable to attacks for almost six months. Moreover, rofl0r stated that if the problem had been registered via GitHub or IRC, it would have been resolved within a day.
This situation has set an unusual precedent, which may lead Talos specialists to think about some inefficiency of their chosen methods of communication with software developers.
Meanwhile, Tinyproxy developers advise users to update the version of the tool as soon as possible, and also recommend not to leave the service open for public access on the Internet.
In early April, we talked about a similar situation that occurred with major computer hardware manufacturers Intel and Lenovo. As it turned out, their software contained a vulnerability that was fixed more than six years ago. This was due to the fact that the flaw was not assigned a CVE identifier, and therefore the fix was not used in third-party products.
Correct, complete and timely reporting of vulnerabilities is essential to ensure cybersecurity and protect users from potential threats.
The Tinyproxy vulnerability incident highlights the need to improve information exchange processes between cybersecurity researchers and software developers in order to avoid similar situations in the future.
More than 50% of 90,310 servers using the Tinyproxy proxy tool are vulnerable due to a critical bug designated CVE-2023-49606 and rated 9.8 out of 10 possible CVSS points. The bug is classified as a "Use-After-Free" vulnerability in Tinyproxy versions 1.10.0 and 1.11.1.
According to a report by Cisco Talos specialists, sending a specially generated HTTP header can lead to re-use of already released memory, causing it to become corrupted, which, in turn, can lead to remote code execution.
According to Censys, about 57% or 52,000 of the 90,310 servers with open access to Tinyproxy as of May 3, 2024, were running on a vulnerable version of the tool. Most of these servers are located in the United States (32,846), South Korea (18,358), China (7,808), France (5,208), and Germany (3,680).
Cisco Talos reported the vulnerability to Tinyproxy developers on December 22, 2023, and then provided a PoC exploit that demonstrates how this issue can be used to cause crashes and, in some cases, execute arbitrary code.
However, one of the leading developers of Tinyproxy under the nickname "rofl0r" said that the message about the problem was sent by Talos specialists to an irrelevant email address. In this regard, the development team became aware of the problem only yesterday, May 5, after it was reported by one of the developers who accompanies the version of the Tinyproxy package for Debian.
In other words, the problem remained unresolved, and the servers were vulnerable to attacks for almost six months. Moreover, rofl0r stated that if the problem had been registered via GitHub or IRC, it would have been resolved within a day.
This situation has set an unusual precedent, which may lead Talos specialists to think about some inefficiency of their chosen methods of communication with software developers.
Meanwhile, Tinyproxy developers advise users to update the version of the tool as soon as possible, and also recommend not to leave the service open for public access on the Internet.
In early April, we talked about a similar situation that occurred with major computer hardware manufacturers Intel and Lenovo. As it turned out, their software contained a vulnerability that was fixed more than six years ago. This was due to the fact that the flaw was not assigned a CVE identifier, and therefore the fix was not used in third-party products.
Correct, complete and timely reporting of vulnerabilities is essential to ensure cybersecurity and protect users from potential threats.
The Tinyproxy vulnerability incident highlights the need to improve information exchange processes between cybersecurity researchers and software developers in order to avoid similar situations in the future.
