A number of high-severity flaws have been uncovered within the open supply OpenLiteSpeed Internet Server in addition to its enterprise variant that might be weaponized to attain distant code execution.
“By chaining and exploiting the vulnerabilities, adversaries might compromise the net server and achieve totally privileged distant code execution,” Palo Alto Networks Unit 42 mentioned in a Thursday report.
OpenLiteSpeed, the open supply version of LiteSpeed Internet Server, is the sixth hottest internet server, accounting for 1.9 million distinctive servers the world over.
The primary of the three flaws is a listing traversal flaw (CVE-2022-0072, CVSS rating: 5.8), which might be exploited to entry forbidden recordsdata within the internet root listing.
The remaining two vulnerabilities (CVE-2022-0073 and CVE-2022-0074, CVSS scores: 8.8) relate to a case of privilege escalation and command injection, respectively, that might be chained to attain privileged code execution.
“A menace actor who managed to achieve the credentials to the dashboard, whether or not by brute-force assaults or social engineering, might exploit the vulnerability in an effort to execute code on the server,” Unit 42 researchers Artur Avetisyan, Aviv Sasson, Ariel Zelivansky, and Nathaniel Quist mentioned of CVE-2022-0073.
A number of variations of OpenLiteSpeed (from 1.5.11 as much as 1.7.16) and LiteSpeed (from 5.4.6 as much as 6.0.11) are impacted by the problems, which have been addressed in variations 1.7.16.1 and 6.0.12 following accountable disclosure on October 4, 2022.