Multiple high-severity flaws in the open-source OpenLiteSpeed Web Server and its enterprise variant have been discovered, which could be exploited to achieve remote code execution.
"Adversaries could compromise the web server and gain fully privileged remote code execution by chaining and exploiting the vulnerabilities," Palo Alto Networks Unit 42 said in a Thursday report.
OpenLiteSpeed, the open-source edition of LiteSpeed Web Server, is the world's sixth most popular web server, with 1.9 million unique servers.
The first of the three flaws is a directory traversal flaw (CVE-2022-0072, CVSS score: 5.8) that could be used to gain access to restricted files in the web root directory.
The remaining two vulnerabilities (CVE-2022-0073 and CVE-2022-0074, CVSS scores: 8.8) are related to privilege escalation and command injection, respectively, which could be chained to achieve privileged code execution.
CVE-2022-0073 was discovered by Unit 42 researchers Artur Avetisyan, Aviv Sasson, Ariel Zelivansky, and Nathaniel Quist. "A threat actor who managed to gain the credentials to the dashboard, whether through brute-force attacks or social engineering, could exploit the vulnerability in order to execute code on the server," they said.
The problems affect many versions of OpenLiteSpeed (from 1.5.11 to 1.7.16) and LiteSpeed (from 5.4.6 to 6.0.11), and have been fixed in versions 126.96.36.199 and 6.0.12 following responsible disclosure on October 4, 2022.
OLS Upgraded from 1.6 to 1.7.16 :
On all connected servers, we have updated and upgraded the Openlitespeed version from 1.6 to 1.7.16 with the latest patch.
LiteSpeed/1.7.16 Open (BUILD built: Mon Oct 17 21:33:28 UTC 2022).
On a newly configured server, you will also receive OLS version 1.7.16.
To determine your server's OLS version, use the following command.