Experts have warned that OpenLiteSpeed Web Server, the world’s popular open source web server, contained several very serious security vulnerabilities.
Actors who successfully exploited these vulnerabilities would be granted full remote code execution privileges, noted researchers at Unit 42, Palo Alto Networks’ cybersecurity research arm.
The team discovered that OpenLiteSpeed Web Server contained three high severity vulnerabilities, namely CVE-2022-0073 (8.8 Severity Rating, High Severity Remote Code Execution Vulnerability), CVE-2022-0074 high severity 8.8 privilege escalation), and CVE-2022-0072 (5.8, medium severity directory browsing bug). The vulnerabilities also affected the Enterprise edition, LiteSpeed Web Server.
Patch ready
Unit 42 notified LiteSpeed Technologies of its findings, which then patched the bugs and released new versions of the server, urging users to update their software immediately.
Organizations using OpenLiteSpeed versions 1.5.11 – 1.7.16 and LiteSPeed versions 5.4.6 – 6.0.11 are asked to bring their endpoints (opens in a new tab) to 1.7.16.1 and 6.0.12 as soon as possible.
According to Unit 42, LiteSpeed Web Server is the sixth most popular web service, powering around 2% of all web server applications, with nearly 1.9 million unique servers worldwide.
“We tried to mimic the actions of the adversary and engaged in research with the intention of finding vulnerabilities and exposing them to the vendor,” explained the researchers in blog post (opens in a new tab).
“This research resulted in the discovery of three vulnerabilities that apply to both enterprise and open source solutions. These could be bundled and exploited by an adversary who has admin dashboard credentials to gain privileged code execution on sensitive components.”
Web servers have come a long way in terms of security and protection, concludes Unit 42, adding that despite optimistic prospects, vulnerabilities are still being discovered due to the rapid pace of technological evolution.