Elttam reported the flaw to Embedthis six months ago, and the server vendor released a patch —version 3.6.5. All server versions before GoAhead 3.6.5 are presumed vulnerable, albeit researchers only verified the flaw on GoAhead versions going back to version 2.5.0 only.
Embedthis has done its part by releasing a patch and informing other upstream equipment vendors. Now, what’s left is for all hardware vendors to incorporate the GoAhead patch into a firmware update for all the affected devices. Such process is expected to take months and years, while some devices won’t receive any update because they’ve passed their end-of-life date.
IoT malware like Mirai, Hajime, BrickerBot, Persirai, and others, were seen exploiting GoAhead flaws in the past year —among with other flaws for many other vendors. Unfortunately, past events tell us that IoT malware authors will jump on this bug and start exploiting it in attacks, if they haven’t already.
