A vulnerability, which was classified as critical, has been found in LiteSpeed OpenLiteSpeed up to 1.5.0 RC5. This issue affects an unknown functionality of the component Byte Sequence Handler. The manipulation as part of a Request leads to a input validation vulnerability. Using CWE to declare the problem leads to CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The server in LiteSpeed OpenLiteSpeed before 1.5.0 RC6 does not correctly handle requests for byte sequences, allowing an attacker to amplify the response size by requesting the entire response body repeatedly, as demonstrated by an HTTP Range header value beginning with the "bytes=0-,0-" substring.

The bug was discovered 11/28/2018. The weakness was published 12/03/2018 (Website). It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2018-19791 since 12/03/2018. The exploitation is known to be easy. The attack may be initiated remotely. The successful exploitation needs a simple authentication. The technical details are unknown and an exploit is not publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 5 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 1.5.0 RC6 eliminates this vulnerability.

Similar entry is available at 127416.

Productinfo

Vendor

• LiteSpeed

Name

• OpenLiteSpeed

Version

• 1.5.0 RC5

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion