Two new vulnerabilities were found in the GoAhead web server software which is a tiny application embedded in millions of Internet-connected smart devices.
One of the two vulnerabilities dubbed as CVE-2019-5096, is a critical code execution flaw that can be exploited by attackers to execute malicious code on vulnerable devices and take control over them.
This vulnerability resides in the way multi-part/form-data requests are processed within the base GoAhead web server application, affecting GoAhead Web Server versions v5.0.1, v.4.1.1, and v3.6.5.
The researchers at Cisco Talos stated that while processing a specially crafted HTTP request, it is possible for an attacker exploiting the vulnerability to cause use-after-free condition on the server and corrupt heap structures, leading to code execution attacks.
The second vulnerability, dubbed as CVE-2019-5097, also resides in the same component of the GoAhead Web Server and can be exploited in the same way, but this leads to denial-of-service attacks.
According to the researchers, a specially crafted HTTP request can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POST requests and it is not necessary for the requested resource to exist on the server.
It is not mandatory that both vulnerabilities could be exploited in all embedded devices running the vulnerable versions of the GoAhead web server.
It is mainly because GoAhead is a customizable web application framework and so each company implement the application according to their environment and requirements. So, the flaws may not be reachable on all builds.
Besides, pages that require authentication do not allow access to the vulnerability without authentication as the authentication is handled before reaching the upload handler.
Talos researchers reported the two vulnerabilities to EmbedThis who is the developer of the GoAhead Web Server application in August. The vendor addressed the issues and released security patches two weeks ago.