LiteSpeed ​​vulnerabilities can lead to complete web server takeover

LiteSpeed ​​web server vulnerabilities discovered by Palo Alto Networks researchers can be exploited to take complete control of a targeted server.

The security flaws were discovered during an audit of OpenLiteSpeed, the open-source version of the LiteSpeed ​​performance-focused web server manufactured by LiteSpeed ​​Technologies. Both versions are affected by the vulnerabilities and they have been fixed with the release of OpenLiteSpeed ​​ and LiteSpeed ​​6.0.12.

LiteSpeed ​​is a popular web server and Palo Alto Networks analysis showed it has a 2% market share – others say it has a much larger market share – and is used by 1.9 million instances connected to the Internet.

Vulnerabilities discovered by security firm researchers can be exploited to compromise the targeted web server and execute arbitrary code with elevated privileges.

However, the flaws cannot be exploited without authentication. The attacker must first use a brute force attack or social engineering to obtain valid credentials on the web server dashboard.

The first vulnerability, rated “high severity” and identified as CVE-2022-0073, relates to a field that allows users to specify a command to run when the server starts.

“This feature is considered unsafe and therefore mitigations to abuse it have been implemented. We managed to bypass the mitigations and abuse this feature to upload and execute a malicious file on the server with the privileges of the person user, which is an unprivileged user that traditionally exists on Linux machines,” explained Palo Alto Networks.

The second vulnerability, also classified as “high severity” and tracked as CVE-2022-0074, can be exploited by an attacker who exploited the previous flaw to elevate privileges from “nobody” to “root”.

The third issue, CVE-2022-0072, is a directory traversal bug that can be exploited to bypass security measures and access prohibited files.

“An attacker who compromised the server could create a secret backdoor and exploit the vulnerability to access it,” the security firm said.

Patches were released about two weeks after Palo Alto Networks reported its findings to LiteSpeed ​​developers.

Related: CWP Flaws That Expos Servers to Remote Attacks Possibly Exploited in the Wild

Related: New DDoS Botnet “Enemybot” Targets Routers and Web Servers

Related: Recently Patched Apache HTTP Server Vulnerability Exploited in Attacks

Edouard Kovacs (@EduardKovacs) is a SecurityWeek Contributing Editor. He worked as a high school computer science teacher for two years before starting a career in journalism as a security reporter for Softpedia. Eduard holds a bachelor’s degree in industrial computing and a master’s degree in computer techniques applied to electrical engineering.

Previous columns by Eduard Kovacs:
Key words: