Multiple high-severity flaws affect widely used OpenLiteSpeed ​​web server software

Several high-severity flaws have been discovered in the open-source OpenLiteSpeed ​​web server as well as its enterprise variant which could be weaponized to achieve remote code execution.

“By chaining and exploiting vulnerabilities, adversaries could compromise the web server and gain fully privileged remote code execution,” Palo Alto Networks Unit 42 said in a report Thursday.

OpenLiteSpeed, the open source edition of LiteSpeed ​​Web Server, is the sixth most popular web server, accounting for 1.9 million unique servers worldwide.

The first of the three flaws is a directory traversal flaw (CVE-2022-0072, CVSS score: 5.8), which could be exploited to access forbidden files in the root directory of the web.

OpenLiteSpeed ​​Web Server

The two remaining vulnerabilities (CVE-2022-0073 and CVE-2022-0074, CVSS scores: 8.8) relate to a case of elevation of privilege and command injection respectively, which could be chained together to achieve code execution privileged.

cyber security

“A malicious actor who successfully obtains the dashboard credentials, either through brute force attacks or social engineering, could exploit the vulnerability to execute code on the server,” they said. Unit 42 researchers Artur Avetisyan, Aviv Sasson, Ariel Zelivansky, and Nathaniel Quist about CVE-2022-0073.

Several versions of OpenLiteSpeed ​​(from 1.5.11 to 1.7.16) and LiteSpeed ​​(from 5.4.6 to 6.0.11) are affected by the problems, which have been fixed in versions and 6.0 .12 following responsible disclosure on October 4, 2022.