Unpatched Remote Code Execution rConfig Flaws Could Affect Millions of Servers and Network Devices

Details on the proof-of-concept (PoC) exploit for two unpatched, critical remote code execution (RCE) vulnerabilities in the network configuration management utility rConfig have been recently disclosed. At least one of the flaws could allow remote compromise of servers and connected network devices.

Written in native PHP, rConfig is an open source utility that allows network engineers to configure and take frequent configuration snapshots of their networked devices. The utility is also used for customized device commands, bulk configuration management, and Telnet and SSHv2 support. The rConfig official site claims that the tool is used by over 7,000 network engineers in managing more than 3.3 million devices. These would include firewalls, load balancers, routers, switches, and wide area network (WAN) optimizers.

The rConfig vulnerabilities

Both discovered vulnerabilities affect all versions of rConfig, including its latest version (3.9.2). No security update has been made available at the time of writing. The two identified vulnerabilities are designated as:

  • Unauthenticated RCE (CVE-2019-16662) in ajaxServerSettingsChk.php
  • Authenticated RCE (CVE-2019-16663) in search.crud.php

Mohammad Askar, the security researcher who discovered the vulnerabilities, shared that each flaw resides in a separate file of rConfig. Designated as CVE-2019-16662, the unauthenticated RCE in ajaxServerSettingsChk.php allows an attacker to directly execute system commands through a GET request. Command execution is possible due to the rootUname parameter being passed to the exec function without filtering. The RCE CVE-2019-16663 that resides in search.crud.php, on the other hand, requires authentication before its exploitation. Askar’s PoC exploit was released after 35 days of “no response” from rConfig’s main developer.

Another researcher, who goes by the name of Sudoka, has analyzed the flaws and found that the second RCE could even be exploited without authentication in rConfig versions prior to version 3.6.0. Moreover, as noted by Johannes Ullrich of SANS Technology Institute, the affected file related to the first flaw actually belongs to a directory that rConfig instructs to be deleted post-installation. Meaning, users are not vulnerable if they completed the installation and deleted the install directory.

Although rConfig does not appear to be actively maintained anymore, users of rConfig should consider temporarily removing the application from their servers until security patches are released.

PHP-FPM Vulnerability (CVE-2019-11043) can Lead to Remote Code Execution in NGINX Web Servers
Administrators and IT teams managing and maintaining a PHP-FPM-enabled website on NGINX server are advised to patch a vulnerability that can let attackers carry out remote code execution (RCE) on the vulnerable website and server.

Users of PHP environments can also adopt the following best practices to deter intrusions that may exploit the vulnerabilities:

  • Enable PHP’s built-in security controls; the Open Web Application Security Project (OWASP), in addition, has recommendations and a checklist on how to secure PHP configurations.
  • Enforce the principle of least privilege by restricting permissions, as well as access to tools or programming techniques.
  • Implement proactive incident response strategies that can prevent potential compromise or breach and identify possible threat entry points.
Security 101: Virtual Patching
What happens to an unpatched or vulnerable application or organization’s IT infrastructure? Here's how virtual patching helps enterprises address vulnerability and patch management woes.

Trend Micro Solutions

Threats exploiting the aforementioned RCE vulnerabilities can be mitigated by the Trend Micro™ Deep Security™ and Vulnerability Protection solutions, which protect systems and users from threats via this Deep Packet Inspection (DPI) rule:

  • 1005934 - Identified Suspicious Command Injection Attack (CVE-2019-16662 and CVE-2019-16663)
  • 1010046 - rConfig Remote Command Execution Vulnerability (CVE-2019-16662)
  • 1010047 - rConfig Remote Command Execution Vulnerability (CVE-2019-16663)

Trend Micro TippingPoint® customers are protected from threats and attacks that may exploit CVE-2019-16662 and CVE-2019-16663 via these MainlineDV filters:

  • 36582: HTTP: rConfig Network Management rootUname Command Injection Vulnerability
  • 36583: HTTP: rConfig Network Management search.crud.php Command Injection Vulnerability

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.