"LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover"

Security researchers at Palo Alto Networks have discovered LiteSpeed Web Server vulnerabilities and noted that they can be exploited to take complete control of a targeted server.  The researchers said that the security holes were found during an audit of OpenLiteSpeed, the open source version of the LiteSpeed performance-focused web server made by LiteSpeed Technologies.  The researchers stated that the vulnerabilities impact both versions, which have been patched with the release of OpenLiteSpeed 1.7.16.1 and LiteSpeed 6.0.12.  The researchers noted that the vulnerabilities can be exploited to compromise the targeted web server and execute arbitrary code with elevated privileges.  However, the flaws cannot be exploited without authentication.  The attacker must first use a brute-force attack or social engineering to obtain valid credentials to the web server's dashboard.  The first vulnerability, rated "high severity" and tracked as CVE-2022-0073, is related to a field that allows users to specify a command to be executed when the server starts.  The second vulnerability, also rated "high severity" and tracked as CVE-2022-0074, can be leveraged by an attacker who has exploited the previous flaw to escalate privileges from "nobody" to "root." The third issue, CVE-2022-0072, is a directory traversal bug that can be exploited to bypass security measures and access forbidden files.

SecurityWeek reports: "LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover"