OpenLiteSpeed Web Server, a popular open source web server around the world, had some very serious vulnerabilities, experts have warned.
Threat actors that successfully exploited these flaws would have been given full privileged remote code execution capabilities, said researchers at Unit 42, the cybersecurity research arm of Palo Alto Networks.
The team discovered that OpenLiteSpeed Web Server has three high severity vulnerabilities, namely CVE-2022-0073 (a severity score of 8,8, a high severity remote code execution flaw), CVE- 2022-0074 (a high severity 8,8 privilege escalation flaw) and CVE-2022-0072 (a medium severity 5.8 directory traversal flaw). The vulnerabilities also affected the enterprise version, LiteSpeed Web Server.
patch ready
Unit 42 informed LiteSpeed Technologies of their findings, which subsequently fixed the flaws and released new versions of the server, urging users to update their software immediately.
Organizations using OpenLiteSpeed versions 1.5.11 through 1.7.16, as well as LiteSPeed versions 5.4.6 through 6.0.11, are encouraged to set their endpoints (opens in a new tab) to 1.7.16.1 and 6.0 .12 as soon as possible.
According to Unit 42, LiteSpeed web server is the sixth most popular web offering, serving approximately 2% of all web server applications, with nearly 1,9 million unique servers worldwide.
"We tried to mimic the actions of an adversary and engaged in research with the goal of finding vulnerabilities and disclosing them to the vendor," the researchers explained in a blog post (opens in a new pestaña).
“This investigation resulted in the discovery of three vulnerabilities that affect both enterprise and open source solutions. These could be chained and exploited by an adversary with admin panel credentials to gain privileged code execution on vulnerable components.
Web servers have come a long way in terms of safety and security, Unit 42 concludes, adding that despite optimistic outlooks, vulnerabilities are still being discovered due to the rapid pace of technological change.