Details on the proof-of-concept (PoC) exploit for two unpatched, critical remote code execution (RCE) vulnerabilities in the network configuration management utility rConfig have been recently disclosed. At least one of the flaws could allow remote compromise of servers and connected network devices.
Written in native PHP, rConfig is an open source utility that allows network engineers to configure and take frequent configuration snapshots of their networked devices. The utility is also used for customized device commands, bulk configuration management, and Telnet and SSHv2 support. The rConfig official site claims that the tool is used by over 7,000 network engineers in managing more than 3.3 million devices. These would include firewalls, load balancers, routers, switches, and wide area network (WAN) optimizers.
The rConfig vulnerabilities
Both discovered vulnerabilities affect all versions of rConfig, including its latest version (3.9.2). No security update has been made available at the time of writing. The two identified vulnerabilities are designated as:
Unauthenticated RCE (CVE-2019-16662) in ajaxServerSettingsChk.php
Authenticated RCE (CVE-2019-16663) in search.crud.php
Mohammad Askar, the security researcher who discovered the vulnerabilities, shared that each flaw resides in a separate file of rConfig. Designated as CVE-2019-16662, the unauthenticated RCE in ajaxServerSettingsChk.php allows an attacker to directly execute system commands through a GET request. Command execution is possible due to the rootUname parameter being passed to the exec function without filtering. The RCE CVE-2019-16663 that resides in search.crud.php, on the other hand, requires authentication before its exploitation. Askar’s PoC exploit was released after 35 days of “no response” from rConfig’s main developer.
Another researcher, who goes by the name of Sudoka, has analyzed the flaws and found that the second RCE could even be exploited without authentication in rConfig versions prior to version 3.6.0. Moreover, as noted by Johannes Ullrich of SANS Technology Institute, the affected file related to the first flaw actually belongs to a directory that rConfig instructs to be deleted post-installation. Meaning, users are not vulnerable if they completed the installation and deleted the install directory.
Although rConfig does not appear to be actively maintained anymore, users of rConfig should consider temporarily removing the application from their servers until security patches are released.
Administrators and IT teams managing and maintaining a PHP-FPM-enabled website on NGINX server are advised to patch a vulnerability that can let attackers carry out remote code execution (RCE) on the vulnerable website and server.
Users of PHP environments can also adopt the following best practices to deter intrusions that may exploit the vulnerabilities: