Watch Out IT Admins! Two Unpatched Critical RCE Flaws Disclosed in rConfig
If you're using the popular rConfig network configuration
management utility to protect and manage your network devices, here we
have an important and urgent warning for you.
A cybersecurity researcher has recently published details and
proof-of-concept exploits for two unpatched, critical remote code
execution vulnerabilities in the rConfig utility, at least one of which
could allow unauthenticated remote attackers to compromise targeted
servers, and connected network devices.
Written in native PHP, rConfig is a free, open source network device
configuration management utility that allows network engineers to
configure and take frequent configuration snapshots of their network
devices.
According to the project website, rConfig is being used to manage more
than 3.3 million network devices, including switches, routers,
firewalls, load-balancer, WAN optimizers.
What's more worrisome? Both vulnerabilities affect all versions
of rConfig, including the latest rConfig version 3.9.2, with no security
patch available at the time of writing.
Discovered by Mohammad Askar,
each flaw resides in a separate file of rConfig—one, tracked as
CVE-2019-16662, can be exploited remotely without requiring
pre-authentication, while the other, tracked as CVE-2019-16663, requires
authentication before its exploitation.
- Unauthenticated RCE (CVE-2019-16662) in ajaxServerSettingsChk.php
- Authenticated RCE (CVE-2019-16663) in search.crud.php
In both cases, to exploit the flaw, all an attacker needs to do is access the vulnerable files with a malformed GET parameter designed to execute malicious OS commands on the targeted server.
As shown in the screenshots shared by the researcher, the PoC exploits allow attackers to get a remote shell from the victim's server, enabling them to run any arbitrary command on the compromised server with the same privileges as of the web application.
Meanwhile, another independent security researcher analysed the flaws and discovered that the second RCE vulnerability could also be exploited without requiring authentication in rConfig versions prior to version 3.6."After reviewing rConfig's source code, however, I found out that not only rConfig 3.9.2 has those vulnerabilities but also all versions of it. Furthermore, CVE-2019-16663, the post-auth RCE can be exploited without authentication for all versions before rConfig 3.6.0," said the researcher, who goes by online alias Sudoka.
Askar responsibly reported both vulnerabilities to the rConfig project maintainers almost a month back and then recently decided to release details and PoC publicly after the maintainers failed to acknowledge or respond to his findings.
If you are using rConfig, you are recommended to temporarily remove it from your server until security patches arrive.Meanwhile, another independent security researcher analysed the flaws and discovered that the second RCE vulnerability could also be exploited without requiring authentication in rConfig versions prior to version 3.6.0.
"After reviewing rConfig's source code, however, I found out that not only rConfig 3.9.2 has those vulnerabilities but also all versions of it. Furthermore, CVE-2019-16663, the post-auth RCE can be exploited without authentication for all versions before rConfig 3.6.0," said the researcher, who goes by online alias Sudoka.
Askar responsibly reported both vulnerabilities to the rConfig project maintainers almost a month back and then recently decided to release details and PoC publicly after the maintainers failed to acknowledge or respond to his findings.
If you are using rConfig, you are recommended to temporarily remove it from your server until security patches arrive.
Comments
Post a Comment