- Unit 42, the security research team of Palo Alto Networks, has found three vulnerabilities on LiteSpeed Web Server.
- The vulnerabilities that two of them are high-severity ones, affect both the enterprise and the open-source versions of LiteSpeed.
- LiteSpeed Technologies has patched both versions of its software approximately two weeks after they have been noticed by Palo Alto Networks.
Palo Alto Networks’ Unit 42 has published a report for their research on LiteSpeed Web Server. The team has found three vulnerabilities that affect both open-source and enterprise versions of the web server software maintained by LiteSpeed Technologies.
Two high-severity vulnerabilities
The first vulnerability, which can be tracked with CVE-2022-0073, has a CVSS score of 8.8, making it a high-severity vulnerability. This vulnerability exists in the External App Command field of the LiteSpeed Web Server admin dashboard, allowing the attackers with access to the dashboard to execute code on the server.
The second vulnerability with CVE ID of CVE-2022-0074, which also has a CVSS score of 8.8 allows attackers to escalate the privileges. According to the report, this vulnerability is caused by a misconfiguration in the PATH environment variable. The researchers of Unit 42 have managed to execute code as an unprivileged user to place a malicious file in /usr/local/bin later to execute it with a highly privileged process such as entrypoint.sh, which runs as root. By doing this, the team has managed to escalate the privileges of the unprivileged user.
The third vulnerability, which can be tracked with CVE-2022-0072, has a lower CVSS score than the other two; 5.8. It is a directory traversal vulnerability that allows attackers to bypass security measures and access the files.
« When browsing in LiteSpeed, the server will make sure that clients only access endpoints that should be visible to them. It does so by verifying that the requested URL does not contain characters that will result in a directory traversal and thus allow them to access forbidden endpoints.
This verification is done by two regular expressions, on lines 2060 and 2061. We managed to bypass those regular expression verifications, and we were able to access paths that we were not able to access initially. »
Fixed with patches
Palo Alto Networks researchers found those vulnerabilities more than a month ago, and LiteSpeed released a patch approximately two weeks after that. The 1.7.16.1 version for OpenLiteSpeed and the 6.0.12 version for LiteSpeed Web Server fix vulnerabilities.
LiteSpeed Technologies states that there might be a delay between the announcement and the auto-update in LiteSpeed Web Server; so users can manually update their instances by using the command below:
/usr/local/lsws/admin/misc/lsup.sh -f -v 6.0.12