Security researchers from security firm Elttam have discovered a critical vulnerability (tracked as CVE-2017-17562) in GoAhead tiny web server that affects many IoT devices, the vulnerability allows attacker to execute malicious code remotely on affected devices.
According to the researchers:
This blog post details CVE-2017-17562, a vulnerability which can be exploited to gain reliable remote code execution in all versions of the GoAhead web server < 3.6.5.
The GoAhead web server is very popular with hardware vendors (such as Comcast, IBM, Boeing, Oracle, D-Link, ZTE) since it can run on devices with limited resources, such as Internet of Things (IoT) devices, routers, printers, and other networking equipment.
Attackers can exploit this vulnerability only if the CGI is enabled and a CGI program is dynamically linked, which is a very common configuration options.
“The vulnerability is a result of Initialising the environment of forked CGI scripts using untrusted HTTP request parameters, and will affect all user’s who have CGI support enabled with dynamically linked executables (CGI scripts).”
You can know the impact of this vulnerability by doing a basic Shodan search, the results show that between 400K and 700K devices presumably affected.