Multiple high-severity flaws have been uncovered within the open supply OpenLiteSpeed Web Server in addition to its enterprise variant that may very well be weaponized to realize distant code execution.
“By chaining and exploiting the vulnerabilities, adversaries may compromise the net server and achieve totally privileged distant code execution,” Palo Alto Networks Unit 42 mentioned in a Thursday report.
OpenLiteSpeed, the open supply version of LiteSpeed Web Server, is the sixth hottest internet server, accounting for 1.9 million distinctive servers internationally.
The first of the three flaws is a listing traversal flaw (CVE-2022-0072, CVSS rating: 5.8), which may very well be exploited to entry forbidden recordsdata within the internet root listing.
The remaining two vulnerabilities (CVE-2022-0073 and CVE-2022-0074, CVSS scores: 8.8) relate to a case of privilege escalation and command injection, respectively, that may very well be chained to realize privileged code execution.
“A menace actor who managed to achieve the credentials to the dashboard, whether or not by brute-force assaults or social engineering, may exploit the vulnerability to be able to execute code on the server,” Unit 42 researchers Artur Avetisyan, Aviv Sasson, Ariel Zelivansky, and Nathaniel Quist mentioned of CVE-2022-0073.
Multiple variations of OpenLiteSpeed (from 1.5.11 as much as 1.7.16) and LiteSpeed (from 5.4.6 as much as 6.0.11) are impacted by the problems, which have been addressed in variations 1.7.16.1 and 6.0.12 following accountable disclosure on October 4, 2022.