Researchers at Cisco Talos discovered two new critical vulnerabilities in EmbedThis GoAhead web server. Deficiencies allow an unauthenticated attacker executing third-party code on a device or achieve a denial of service condition.The problem can affect a wide range of network and medical equipment, mobile phones, office equipment.
“EmbedThis’ GoAhead Web Server contains two vulnerabilities that both arise when the software attempts to process a multi-part/form-data HTTP request. An attacker could exploit these vulnerabilities to remotely execute code on the victim machine, or cause a denial-of-service condition”, — writes Cisco Talos researcher Jon Munshaw.
GoAhead Web Server is a popular embedded web server designed to be a fully customizable web application framework and server for embedded devices. It provides all the base HTTP server functionality and provides a highly customizable platform for developers of embedded web applications.
Read also: Cyber Police Blocked Imminent Monitor Trojan
One of the errors has a critical level of danger. The vulnerability registered as CVE-2019-5096 allows the execution of malicious code through a request of the form GET or POST.
“When processing an HTTP request with multiple Content-Disposition headers, a use-after-free state may occur. The problem is cleaning up the heap structures used to store different parts of the request”, – explains researcher Jon Munshaw.
An attacker does not require authorization on the server to exploit the vulnerability. Moreover, the resource indicated in the request may not be available on the device. The bug threatens to execute third-party code within the system; it received a near-maximum danger rating of 9.8 points on the CVSS scale.
The possibility of a successful attack depends on the server configuration – according to information security experts, an error cannot lead to the launch of a third-party script in some original product assemblies.
The second vulnerability is much less dangerous and is estimated by experts at 5.3 points CVSS. Like the first bug, it is associated with the incorrect processing of multi-part HTTP GET and POST requests. If the connection is disconnected before the processing of data from the Content-Length header is completed, the server will continue to send a response to the disconnected node in an endless loop mode. As a result, are created conditions for a full processor load and denial of service.
“The exploitation of the CVE-2019-5097 vulnerability largely depends on the system resources available on the device. Instruments with a powerful processor and large RAM are less susceptible to attack”, – says Cisco Talos researcher Jon Munshaw.
Both bugs affect GoAhead web servers versions 5.0.1, 4.1.1 and 3.6.5. The developers received information about the identified shortcomings at the end of August this year, and on November 21 released updates for all vulnerable products. Their manufacturers must prepare patches for devices using EmbedThis embedded servers.
In 2017, information security specialists already found RCE bugs in the GoAhead product line. A bug in the CGI request handler allowed attackers remotely launching a malicious script on the device.
Developers fixed bugs by issuing a new product release.