GoAhead Web Servers Vulnerable to Remote Code Execution

Researchers at Elttam discovered vulnerability CVE-2017-17562 present in GoAhead web servers prior to version 3.6.5 used in hundreds of thousands of IoT devices, including products from Canon, Comcast, D-Link, Oracle, HP, and Siemens. The vulnerability exists when CGI is enabled and a CGI program is dynamically linked, a common configuration – between 500,000 and 700,000 devices are believed to be affected. If exploited, this vulnerability could allow a remote threat actor to execute code on the affected device. While GoAhead has updated their web server to patch the vulnerability, hardware vendors now need to push firmware updates to their affected products. Threat actors will likely attempt to capitalize on this wide-reaching vulnerability by targeting the affected products in order to use them as nodes in a botnet or to spread malware. The NJCCIC recommends all users and administrators of the affected products review the Elttam blog post,use the proof-of-concept code to test if devices are vulnerable, and immediately patch all affected products as updates become available. Additionally, users should take steps to secure IoT devices by isolating them from the public internet where possible, changing the default passwords and enabling multi-factor authentication where available, closing all unnecessary ports and services, and whitelisting IP addresses/IP subnets or requiring a VPN to access the local network.

AdvisoryNJCCICGoAhead, Web Server