If you are working with the well-known rConfig network configuration administration utility to safeguard and take care of your community equipment, below we have an essential and urgent warning for you.
A cybersecurity researcher has recently revealed details and evidence-of-notion exploits for two unpatched, important distant code execution vulnerabilities in the rConfig utility, at the very least just one of which could allow unauthenticated remote attackers to compromise targeted servers, and related network equipment.
Written in native PHP, rConfig is a cost-free, open up supply network system configuration administration utility that permits network engineers to configure and consider frequent configuration snapshots of their network devices.
In accordance to the undertaking web site, rConfig is getting employed to manage extra than 3.3 million network products, including switches, routers, firewalls, load-balancer, WAN optimizers.
What is actually extra worrisome? Both equally vulnerabilities impact all versions of rConfig, like the most current rConfig variation 3.9.2, with no protection patch readily available at the time of composing.
Found by Mohammad Askar, every flaw resides in a individual file of rConfig—one, tracked as CVE-2019-16662, can be exploited remotely without the need of requiring pre-authentication, though the other, tracked as CVE-2019-16663, requires authentication just before its exploitation.
- Unauthenticated RCE (CVE-2019-16662) in ajaxServerSettingsChk.php
- Authenticated RCE (CVE-2019-16663) in search.crud.php
In each situations, to exploit the flaw, all an attacker requires to do is entry the susceptible information with a malformed GET parameter developed to execute destructive OS commands on the focused server.
As proven in the screenshots shared by the researcher, the PoC exploits allow for attackers to get a remote shell from the victim’s server, enabling them to run any arbitrary command on the compromised server with the exact same privileges as of the net software.
In the meantime, yet another independent protection researcher analysed the flaws and found out that the 2nd RCE vulnerability could also be exploited without the need of necessitating authentication in rConfig versions prior to variation 3.6..
“Right after examining rConfig’s supply code, even so, I uncovered out that not only rConfig 3.9.2 has those people vulnerabilities but also all versions of it. Additionally, CVE-2019-16663, the article-auth RCE can be exploited devoid of authentication for all variations just before rConfig 3.6.,” reported the researcher, who goes by on-line alias Sudoka.
Askar responsibly claimed both equally vulnerabilities to the rConfig job maintainers nearly a month back and then a short while ago resolved to launch particulars and PoC publicly soon after the maintainers failed to admit or react to his conclusions.
If you are utilizing rConfig, you are advised to briefly take out it from your server until eventually stability patches get there.