{"id":602,"date":"2019-11-05T06:33:06","date_gmt":"2019-11-05T06:33:06","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=602"},"modified":"2019-11-05T06:51:07","modified_gmt":"2019-11-05T06:51:07","slug":"watch-admins-two","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/watch-admins-two\/","title":{"rendered":"Watch Out IT Admins! Two Unpatched Critical RCE Flaws Disclosed in rConfig"},"content":{"rendered":"<p>Admins<\/p>\n<figure style=\"width: 728px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-hYWkeh_8WU0\/Xb7JSfBc19I\/AAAAAAAA1lw\/dK78yB8xPxEis6jpSUwt1f50N0rJ20QogCLcBGAsYHQ\/s728-e100\/rConfig-network-configuration-management-vulnerability.png\" alt=\"Adminszerothcode\" width=\"728\" height=\"380\" \/><figcaption class=\"wp-caption-text\">Admins zerothcode<\/figcaption><\/figure>\n<p>If you&#8217;re using the popular\u00a0<b>rConfig<\/b> network configuration management utility to protect and manage your network devices, here we have an important and urgent warning for you. Admins<\/p>\n<p>A cybersecurity researcher has recently published details and proof-of-concept exploits for two unpatched, critical remote code execution vulnerabilities in the rConfig utility, at least one of which could allow unauthenticated remote attackers to compromise targeted servers, and connected network devices.<\/p>\n<p>Written in native PHP, rConfig is a free, open source network device configuration management utility that allows network engineers to configure and take frequent configuration snapshots of their network devices.<\/p>\n<p>According to the project website, rConfig is being used to manage more than 3.3 million network devices,\u00a0including switches, routers, firewalls, load-balancer, WAN optimizers.<\/p>\n<p><b>What&#8217;s more worrisome?\u00a0<\/b>Both vulnerabilities affect all versions of rConfig, including the latest rConfig version 3.9.2, with no security patch available at the time of writing. Admins<\/p>\n<p>Discovered by\u00a0<a href=\"https:\/\/shells.systems\/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662\/\" target=\"_blank\" rel=\"noopener noreferrer\">Mohammad Askar<\/a>, each flaw resides in a separate file of rConfig\u2014one, tracked as CVE-2019-16662, can be exploited remotely without requiring pre-authentication, while the other, tracked as CVE-2019-16663, requires authentication before its exploitation.<\/p>\n<ul>\n<li>Unauthenticated RCE (CVE-2019-16662) in ajaxServerSettingsChk.php<\/li>\n<li>Authenticated RCE (CVE-2019-16663) in search.crud.php<\/li>\n<\/ul>\n<p>In both cases, to exploit the flaw, all an attacker needs to do is access the vulnerable files with a malformed GET parameter designed to execute malicious OS commands on the targeted server. Admins<\/p>\n<div class=\"separator\">\n<figure style=\"width: 728px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/1.bp.blogspot.com\/-CQG_tpd4-Fw\/Xb7JnGyv0uI\/AAAAAAAA1l4\/GBda4wHzak8imPfMwJ-miUxHgznmGt7TgCLcBGAsYHQ\/s728-e100\/rConfig-vulnerability.png\"><img loading=\"lazy\" decoding=\"async\" title=\"rConfig vulnerability\" src=\"https:\/\/1.bp.blogspot.com\/-CQG_tpd4-Fw\/Xb7JnGyv0uI\/AAAAAAAA1l4\/GBda4wHzak8imPfMwJ-miUxHgznmGt7TgCLcBGAsYHQ\/s728-e100\/rConfig-vulnerability.png\" alt=\"rConfig vulnerability\" width=\"728\" height=\"503\" border=\"0\" data-original-height=\"503\" data-original-width=\"728\" \/><\/a><figcaption class=\"wp-caption-text\">Admins<\/figcaption><\/figure>\n<\/div>\n<p>As shown in the screenshots shared by the researcher, the PoC exploits allow attackers to get a remote shell from the victim&#8217;s server, enabling them to run any arbitrary command on the compromised server with the same privileges as of the web application.<\/p>\n<p>Meanwhile, another independent security researcher analysed the flaws and\u00a0<a href=\"https:\/\/www.sudokaikan.com\/2019\/11\/cve-2019-16662-cve-2019-16663.html\" target=\"_blank\" rel=\"noopener noreferrer\">discovered<\/a>\u00a0that the second RCE vulnerability could also be exploited without requiring authentication in rConfig versions prior to version 3.6.0.<\/p>\n<blockquote class=\"tr_bq\"><p>&#8220;After reviewing rConfig&#8217;s source code, however, I found out that not only rConfig 3.9.2 has those vulnerabilities but also all versions of it. Furthermore, CVE-2019-16663, the post-auth RCE can be exploited without authentication for all versions before rConfig 3.6.0,&#8221; said the researcher, who goes by online alias Sudoka. Admins<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<h2>Important Update Admins<\/h2>\n<p>It turns out that not all rCongif installations are likely vulnerable to the first pre-authenticated RCE vulnerability, as reported initially, SANS security researchers Johannes Ullrich told The Hacker News.<\/p>\n<p>After analyzing the zero-day vulnerabilities, Ullrich\u00a0<a href=\"https:\/\/isc.sans.edu\/forums\/diary\/rConfig+Install+Directory+Remote+Code+Execution+Vulnerability+Exploited\/25484\/\" target=\"_blank\" rel=\"noopener noreferrer\">found<\/a> that the affected file associated with the first vulnerability belongs to a directory required during the installation of rConfig on a server, which is otherwise intended to be removed post-installation. Admins<\/p>\n<p>On its website, as part of a list of essential tasks users need to follow post-installation, rConfig also\u00a0<a href=\"http:\/\/help.rconfig.com\/gettingstarted\/postinstall\" target=\"_blank\" rel=\"noopener noreferrer\">recommends<\/a>\u00a0users to &#8220;delete the install directory after the installation is complete.&#8221;<\/p>\n<p>This means, users who deleted the rConfig installation directory as recommended are not vulnerable to the first RCE flaw, but could still be at risk due to the second RCE flaw of similar impact, which also doesn&#8217;t require authentication for older versions as explained above.<\/p>\n<p>If you are using rConfig, you are recommended to temporarily remove the application from your server or use alternative solutions until security patches arrive.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Admins If you&#8217;re using the popular\u00a0rConfig network configuration management utility to protect and manage your network devices, here we have<\/p>\n","protected":false},"author":1,"featured_media":603,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[392,391,380,377,375,175,352,378,176,376,386,385,384,379,350,387,260,389,388,390],"class_list":["post-602","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/602","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=602"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/602\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/603"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=602"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=602"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=602"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}