Researchers from Cisco Talos information security company found two vulnerabilities in the GoAhead web server, one of which is critical and scored 9.8 points on the CVSS scale.
GoAhead web server was developed by a small American company Embedthis Software LLC and, according to the official website, their solution is actively used in products of major manufacturers as Comcast, Oracle, D-Link, ZTE, HP, Siemens, Canon and so on.Such popularity of GoAhead is simply explained, the fact is that the web server can run even on IoT devices, whose resources are very limited, that is, routers, printers, cameras and other network equipment. A search at Shodan reveals that more than 1.3 million internet-connected systems use GoAhead.
Cisco Talos experts report that they discovered two vulnerabilities in the GoAhead web server, including a critical issue that could be used to remotely execute code.
EmbedThis’ GoAhead Web Server contains two vulnerabilities that both arise when the software attempts to process a multi-part/form-data HTTP request. An attacker could exploit these vulnerabilities to remotely execute code on the victim machine, or cause a denial-of-service condition”, — write experts Cisco Talos.
The critical bug CVE-2019-5096, which scored 9.8 points on the CVSS scale, is related to multi-part/form-data requests processing.
By sending specially crafted HTTP requests, an unauthenticated attacker could exploit the vulnerability to provoke a use-after-free state, which ultimately entails the execution of arbitrary code on the server”, – explain this critical vulnerability in Cisco Talos.
The second vulnerability received the identifier CVE-2019-5097 and can be used by an unauthenticated attacker to provoke a denial of service (DoS), also by sending specially prepared HTTP requests.
Read also: StrandHogg vulnerability threatens Android users
A specially crafted HTTP request can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POST requests and does not require the requested resource to exist on the server.
Solution:
According to researchers, vulnerabilities are dangerous for GoAhead versions 5.0.1, 4.1.1 and 3.6.5. Back in August, experts notified EmbedThis developers about the problems, and they released fixes for both holes on November 21, 2019.