Threat actors could leverage three security vulnerabilities in the LiteSpeed Web Server to facilitate arbitrary code execution with elevated privileges and achieve complete server takeovers, SecurityWeek reports.
Palo Alto Networks researchers discovered that the first flaw, tracked as CVE-2022-0073, pertains to a field enabling the use of a specific command to be executed upon server start up.
"This functionality is considered dangerous and therefore mitigations for abusing it were implemented. We managed to bypass the mitigations and abuse this functionality to download and execute a malicious file on the server with the privileges of the user nobody, which is an unprivileged user that traditionally exists in Linux machines," said researchers.
Another high-severity bug, tracked as CVE-2022-0074, could be exploited after abuse of the initial flaw to permit privilege escalation.
Meanwhile, attackers could leverage the path traversal bug, tracked as CVE-2022-0072, for security measure evasion and file access. LiteSpeed has already addressed the vulnerabilities.