Details on the proof-of-concept (PoC) exploit for two unpatched, critical remote code execution (RCE) vulnerabilities in the network configuration management utility rConfig have been recently disclosed. At least one of the flaws could allow remote compromise of servers and connected network devices.
Written in native PHP, rConfig is an open source utility that allows network engineers to configure and take frequent configuration snapshots of their networked devices. The utility is also used for customized device commands, bulk configuration management, and Telnet and SSHv2 support. The rConfig official site claims that the tool is used by over 7,000 network engineers in managing more than 3.3 million devices. These would include firewalls, load balancers, routers, switches, and wide area network (WAN) optimizers.
Both discovered vulnerabilities affect all versions of rConfig, including its latest version (3.9.2). No security update has been made available at the time of writing. The two identified vulnerabilities are designated as:
Mohammad Askar, the security researcher who discovered the vulnerabilities, shared that each flaw resides in a separate file of rConfig. Designated as CVE-2019-16662, the unauthenticated RCE in ajaxServerSettingsChk.php allows an attacker to directly execute system commands through a GET request. Command execution is possible due to the rootUname parameter being passed to the exec function without filtering. The RCE CVE-2019-16663 that resides in search.crud.php, on the other hand, requires authentication before its exploitation. Askar’s PoC exploit was released after 35 days of “no response” from rConfig’s main developer.
Another researcher, who goes by the name of Sudoka, has analyzed the flaws and found that the second RCE could even be exploited without authentication in rConfig versions prior to version 3.6.0. Moreover, as noted by Johannes Ullrich of SANS Technology Institute, the affected file related to the first flaw actually belongs to a directory that rConfig instructs to be deleted post-installation. Meaning, users are not vulnerable if they completed the installation and deleted the install directory.
Although rConfig does not appear to be actively maintained anymore, users of rConfig should consider temporarily removing the application from their servers until security patches are released.
Users of PHP environments can also adopt the following best practices to deter intrusions that may exploit the vulnerabilities:
Threats exploiting the aforementioned RCE vulnerabilities can be mitigated by the Trend Micro™ Deep Security™ and Vulnerability Protection solutions, which protect systems and users from threats via this Deep Packet Inspection (DPI) rule:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.