The Tinyproxy proxy utility contains a dangerous vulnerability that can cause many servers to fall victim to hackers who do not have much hacking experience. The developer is aware of the problem, but so far nothing is being done – you see, he was sent a notification about a "hole" in his product to an outdated email address. He doesn't specify why they didn't bother updating their contact information.
If you speak to me – you translate it to yourself
The Tinyproxy proxy tool, distributed on a free basis and hosted on GitHub, was useful not only for system administrators, but also for hackers. According to the Hacker News portal, a huge "hole" was found in it at the end of 2023, which developers are in no hurry to patch up, although they are well aware of its existence.
The problem was identified by information security experts of the Cisco Tallos group – the vulnerability received the CVE-2023-49606 index and almost the maximum level of danger, 9.8 points out of 10 possible.
Tallos specialists contacted a programmer under the pseudonym rofl0r, who is one of the key developers of the "leaky" proxy utility. The email was sent to him in the last days of December 2023, but the patch for Tinyproxy did not exist at the time of the material's release.
Rofl0r stated that Tallos employees sent their email to an irrelevant email address, but the programmer did not explain why he did not indicate active contacts on the project's website. Now he claims that because of this misunderstanding, Tinyproxy developers learned about the problem only on May 5, 2024 – it was pointed out by a programmer who oversees the development of Tinyproxy under Debian Linux.
rofl0r also hastened to shift the blame from itself to Tallos specialists. According to him, it was necessary not to write to e-mail, but to send a notification via GitHub or, as an alternative, to leave him a message in IRC. Rofl0r claims that if the information security specialists did this, the problem would be solved within a day.
Note that IRC is an ancient messenger that peaked in popularity at the beginning of the XXI century. In 2024, the vast majority of modern users do not even know about its existence – it is not even included in the top 10 most popular communication services.
Consequences of poor communication
In their letter, Tallos employees sent rofl0r not only a notification about the problem found, but even a ready-made exploit that clearly demonstrates what a Tinyproxy breach can do to the system. If they have such an exploit, the cybercriminals were probably able to build it too.
In fact, to exploit the "hole" in Tinyproxy, you do not need a deep knowledge of IT. It will be enough to send a specially formed HTTP header, as a result of which the previously released memory will be reused, which will cause its corruption and give hackers the opportunity to run any code they need on the victim's server.
According to Hacker News, at the beginning of May 2024, there were more than 90.3 thousand servers in the world on which the Tinyproxy utility was installed. More than half of them are definitely vulnerable, as the vulnerability CVE-2023-49606 was found in Tinyproxy versions 1.10.0 and 1.11.1 installed on them. It is possible that it is also present in other builds – then there will be more vulnerable servers.
To be more precise, the non-exclusive threat of hacking due to Tinyproxy hangs over the owners of at least 52 thousand servers. This is approximately 57% of the total number of servers running this utility.
System administrators from the United States were the least lucky. In this country, the largest number of "leaky" servers is concentrated – there are about 32.85 thousand of them. The second place was taken by South Korea – in this country there are almost 18.36 thousand servers with the problematic Tinyproxy build.
The top three is closed by China – 7.8 thousand servers. It is followed by France (5,2 thousand) and Germany (about 3,7 thousand). This means that the problem with Tinyproxy has spread globally – the brainchild of rofl0r and his colleagues gave hackers easy access to servers at least in Europe, Asia and North America.
If you speak to me – you translate it to yourself
The Tinyproxy proxy tool, distributed on a free basis and hosted on GitHub, was useful not only for system administrators, but also for hackers. According to the Hacker News portal, a huge "hole" was found in it at the end of 2023, which developers are in no hurry to patch up, although they are well aware of its existence.
The problem was identified by information security experts of the Cisco Tallos group – the vulnerability received the CVE-2023-49606 index and almost the maximum level of danger, 9.8 points out of 10 possible.
Tallos specialists contacted a programmer under the pseudonym rofl0r, who is one of the key developers of the "leaky" proxy utility. The email was sent to him in the last days of December 2023, but the patch for Tinyproxy did not exist at the time of the material's release.
Rofl0r stated that Tallos employees sent their email to an irrelevant email address, but the programmer did not explain why he did not indicate active contacts on the project's website. Now he claims that because of this misunderstanding, Tinyproxy developers learned about the problem only on May 5, 2024 – it was pointed out by a programmer who oversees the development of Tinyproxy under Debian Linux.
rofl0r also hastened to shift the blame from itself to Tallos specialists. According to him, it was necessary not to write to e-mail, but to send a notification via GitHub or, as an alternative, to leave him a message in IRC. Rofl0r claims that if the information security specialists did this, the problem would be solved within a day.
Note that IRC is an ancient messenger that peaked in popularity at the beginning of the XXI century. In 2024, the vast majority of modern users do not even know about its existence – it is not even included in the top 10 most popular communication services.
Consequences of poor communication
In their letter, Tallos employees sent rofl0r not only a notification about the problem found, but even a ready-made exploit that clearly demonstrates what a Tinyproxy breach can do to the system. If they have such an exploit, the cybercriminals were probably able to build it too.
In fact, to exploit the "hole" in Tinyproxy, you do not need a deep knowledge of IT. It will be enough to send a specially formed HTTP header, as a result of which the previously released memory will be reused, which will cause its corruption and give hackers the opportunity to run any code they need on the victim's server.
According to Hacker News, at the beginning of May 2024, there were more than 90.3 thousand servers in the world on which the Tinyproxy utility was installed. More than half of them are definitely vulnerable, as the vulnerability CVE-2023-49606 was found in Tinyproxy versions 1.10.0 and 1.11.1 installed on them. It is possible that it is also present in other builds – then there will be more vulnerable servers.
To be more precise, the non-exclusive threat of hacking due to Tinyproxy hangs over the owners of at least 52 thousand servers. This is approximately 57% of the total number of servers running this utility.
System administrators from the United States were the least lucky. In this country, the largest number of "leaky" servers is concentrated – there are about 32.85 thousand of them. The second place was taken by South Korea – in this country there are almost 18.36 thousand servers with the problematic Tinyproxy build.
The top three is closed by China – 7.8 thousand servers. It is followed by France (5,2 thousand) and Germany (about 3,7 thousand). This means that the problem with Tinyproxy has spread globally – the brainchild of rofl0r and his colleagues gave hackers easy access to servers at least in Europe, Asia and North America.
