LiteSpeed web server vulnerabilities discovered by Palo Alto Networks researchers can be exploited to take complete control of a targeted server.
The security flaws were discovered during an audit of OpenLiteSpeed, the open-source version of the LiteSpeed performance-focused web server manufactured by LiteSpeed Technologies. Both versions are affected by the vulnerabilities and they have been fixed with the release of OpenLiteSpeed 188.8.131.52 and LiteSpeed 6.0.12.
LiteSpeed is a popular web server and Palo Alto Networks analysis showed it has a 2% market share – others say it has a much larger market share – and is used by 1.9 million instances connected to the Internet.
Vulnerabilities discovered by security firm researchers can be exploited to compromise the targeted web server and execute arbitrary code with elevated privileges.
However, the flaws cannot be exploited without authentication. The attacker must first use a brute force attack or social engineering to obtain valid credentials on the web server dashboard.
The first vulnerability, rated “high severity” and identified as CVE-2022-0073, relates to a field that allows users to specify a command to run when the server starts.
“This feature is considered unsafe and therefore mitigations to abuse it have been implemented. We managed to bypass the mitigations and abuse this feature to upload and execute a malicious file on the server with the privileges of the person user, which is an unprivileged user that traditionally exists on Linux machines,” explained Palo Alto Networks.
The second vulnerability, also classified as “high severity” and tracked as CVE-2022-0074, can be exploited by an attacker who exploited the previous flaw to elevate privileges from “nobody” to “root”.
The third issue, CVE-2022-0072, is a directory traversal bug that can be exploited to bypass security measures and access prohibited files.
“An attacker who compromised the server could create a secret backdoor and exploit the vulnerability to access it,” the security firm said.
Patches were released about two weeks after Palo Alto Networks reported its findings to LiteSpeed developers.
Related: CWP Flaws That Expos Servers to Remote Attacks Possibly Exploited in the Wild
Related: New DDoS Botnet “Enemybot” Targets Routers and Web Servers
Related: Recently Patched Apache HTTP Server Vulnerability Exploited in Attacks