Opera’s security teams revealed detection of six critical vulnerabilities residing in Privoxy, the company’s open source proxy software. The developers of the popular Chromium-based browser began a series of blog posts to track the situation.
As mentioned, Opera’s first research focuses on Privoxy, released in 2001 and described as non cached web proxy with advanced privacy capabilities and removal of annoying online ads. Privoxy was once the primary way to enter the Tor network and is still employed by Tor Project.
When performing a security analysis, Opera detected multiple errors in the way this tool handles the data entered, using its own open source proxy fuzzing framework, along with partial analysis with a separator in order to detect errors as they would occur in real-world scenarios.
The following flaws were found in all versions of Privoxy prior to 3.0.32:
- CVE-2021-20276: Buffer overflow in pcre_compile (), which could lead to a denial of service (DoS) scenario
- CVE-2021-20217: A claim error triggered by a specially designed CGI request that leads to DoS conditions
- CVE-2021-20272: Configuration gateway assertion error that could cause system crashes
- CVE-2021-20273: If Privoxy is disabled, a DoS scenario can be presented through a specially designed CGI application
- CVE-2021-20275: An invalid reading on chunked_body_is_complete () could lead to a crash of the affected system
- CVE-2021-20274: A NULL pointer dereference error that can cause a system crash
These issues reside on the proxy’s internal configuration gateway, a technology used to alter Privoxy settings during a browser session without accessing the primary server. You can make this modification by http://p.p/ or http://config.privoxy.org in most configurations.
In this regard, Opera Security Engineer Joshua Rogers mentions: “The ability to block the system through ads using Privoxy is fatal, as it can cause severe damage and result in very lucrative attacks for affected users.”
During the security analysis, Opera also encountered five other errors that included indefinite tool behavior, uninitialized memory reads, and two “Fuzzing Mode” code failures in Privoxy.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.