Engineers at Cisco Talos have found two GoAhead embedded web server vulnerabilities, including a critical flaw that can be exploited to execute the remote software.
GoAhead, developed by EmbedThis, is marketed as “the world’s most popular small embedded Web server.” Both open source as well as company versions are available. A GoAhead quest for Shodan currently shows more than 1.3 million devices connected to the internet.
Talos ‘ critical GoAhead vulnerability relates to how multi-part / form data requests are handled. An unauthenticated assailant can exploit that weakness to cause a free use and execute arbitrary HTTP requests on the server.
The safety hole is monitored as CVE-2019-5096 and a CVSS score of 9.8 has been given.
The second vulnerability found by Talos researchers in the GoAfront web server is CVE-2019-5097, which can be used to trigger a denial of service condition (DoS) by an unauthenticated attacker to send specially crafted HTTP queries.
Malicious requests can cause the DoS condition by triggering an infinite loop. This problem is only regarded as “medium” in severity.
Talos has reproduced 5.0.1, 4.1.1 and 3.6.5 vulnerabilities. The company reported to EmbedThis its findings at the end of August and on 21 November the vendor released patches for both security holes.
Cisco has issued advisories for both vulnerabilities, providing technical information.
Although very common, in recent years not many vulnerabilities have been found in GoAhead. A DoS fault was disclosed earlier this year and a potential vulnerability in remote code execution–the weakness could only be triggered in special circumstances –was disclosed at the end of 2017.