Two vulnerabilities have been identified in GoAhead’s EmbedThis Web Server software, which is used by hundreds of millions of Internet of Things (IoT) devices, one of which is a critical flaw that could allow an attacker to take full control of a vulnerable device.
GoAhead EmbedThis is an embedded web server for embedded devices. The most serious flaw, CVE-2019-5096, is a remote code execution vulnerability that arises when the web server attempts to process multi-part and form-data requests.
An attacker could exploit the vulnerability by sending a specially crafted HTTP request which would trigger a use-after-free condition and corrupt heap structures, which could allow the execution of malicious code. The flaw affects GoAhead Web Server versions 5.0.1, 4.1.1, and 3.6.5.
The second flaw, CVE-2019-5097, also affects the same part of the software and could also be exploited by sending a specially crafted HTTP request. If this vulnerability is exploited, it would trigger an infinite loop in the process, causing 100% CPU utilization which could be used in a denial-of-service attack.
Even though millions of devices are potentially affected, EmbedThis is designed to be easily customizable to meet the requirements of device manufacturers. It is therefore possible that the software has been changed which would prevent exploitation of the flaws, or that an attacker would first be required to authenticate first, which limits the potential for the flaw to be exploited.
The flaws were discovered by researchers at Cisco Talos who worked with the EmbedThis team to resolve the issues prior to disclosure. An update was issued two weeks ago to address the flaws. Cisco Talos reports that the flaws may not be exploitable on all builds.