The GoAhead web server was developed by the small American company Embedthis Software LLC and, according to the official site, this solution is actively used in their products by such large manufacturers as Comcast, Oracle, D-Link, ZTE, HP, Siemens, Canon and so on. Such popularity of GoAhead is simply explained, the fact is that the web server can run even on IoT devices, whose resources are very limited, that is, routers, printers, cameras and other network equipment. A search at Shodan reveals that more than 1.3 million internet-connected systems use GoAhead.
Cisco Talos Experts reportthat two vulnerabilities in the GoAhead web server were discovered, including a critical issue that could be used to remotely execute code.
The critical bug CVE-2019-5096, which scored 9.8 points on the CVSS scale, is related to how multi-part / form-data requests are processed. By sending specially crafted HTTP requests, an unauthenticated attacker could use the vulnerability to provoke the use-after-free state, which ultimately entails the execution of arbitrary code on the server.
The second vulnerability received the identifier CVE-2019-5097 and can be used by an unauthenticated attacker to provoke a denial of service (DoS), also by sending specially prepared HTTP requests.
According to researchers, vulnerabilities are dangerous for GoAhead versions 5.0.1, 4.1.1 and 3.6.5. Back in August, experts notified EmbedThis developers about the problems, and they released fixes for both holes on November 21, 2019.