tinyproxy uses wrong client IPv6 address for ACL/logging when receiving concurrent IPv4+ IPv6 connections
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tinyproxy (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
tinyproxy 1.11.0 and upwards have a bug that causes them to occasionally use incorrect IPv6 address for logging / ACL checks when the proxy is receiving simultaneous IPv4 + IPv6 connections.
Usually the incorrect address is the address of the _previous_ IPv6 connection, but in some cases some bits of the IPv6 address are also overwritten (causing log entries to show and ACL checks to use IPv6 addresses that are not actually in use).
In all cases, IPv4 traffic is not affected -- bug itself is IPv6-specific but you need to have also IPv4 traffic via the proxy to enable this bug.
Ubuntu 20.04 (with 1.10) is not affected, 22.04 and upwards are.
My bug report to tinyproxy: https:/
Tinyproxy's official fix for this: https:/
Please include this fix to Ubuntu's tinyproxy package for 22.04 (and newer).
You could consider this to also have a security implication (ACL bypass), even though actual exploiting would require very specific configuration and would still be hit-and-miss:
You'd need to have an attacker-accessible Tinyproxy server (with both ipv4 + ipv6 addresses) with tinyproxy's own ACL configuration that normally refuses attacker's requests. When there is legitimate IPv6 traffic going thru the proxy, attacker would be occasionally able to make requests that bypass the ACL and are seen by tinyproxy as coming from a (different & allowed) IPv6 address. In any case, the real clients would then be getting Forbidden errors from Tinyproxy, so they'd notice something strange is going on.
| information type: | Private Security → Public Security |
| Marc Deslauriers (mdeslaur) wrote | #1 |
| Juha Suhonen (juhassi) wrote | #2 |
Thanks for reporting this issue. Do you know if a CVE was ever assigned for it?