Critical Remote Code Execution Flaw Found in Open Source rConfig Utility

The network configuration management utility has two unpatched critical remote code execution vulnerabilities.

Two bugs in the network configuration utility rConfig have been identified, both allowing remote code execution on affected systems. Worse, one is rated critical and allows for a user to attack a system remotely – sans authentication.

RConfig is a free open-source configuration management utility used by over 7,000 network engineers to take snapshots of over 7 million network devices, according the project’s website.

The vulnerabilities (CVE-2019-16663CVE-2019-16662) are both tied to rConfig version 3.9.2. The more serious of the two vulnerabilities (CVE-2019-16662) allows an attacker to execute system commands on affected devices via GET requests, which can lead to command instructions.

“I was able to detect two remote command execution vulnerabilities in two different files, the first one called ‘ajaxServerSettingsChk.php’ file which suffers from an unauthenticated RCE that could triggered by sending a crafted GET request via ‘rootUname’ parameter which is declared in line,” wrote Mohammad Askar, the researcher who discovered the vulnerabilities.

This flaw has the higher CVSS (v3.1) rating of 9.8 out of 10. The second bug (CVE-2019-16663) has a high CVSS (v3.1) rating of 8.8.

“The second vulnerability has been discovered in a file called ‘search.crud.php’ which suffers from an authenticated RCE that could triggered by sending a crafted GET request that contains two parameters,” he wrote.

Askar said he reported both vulnerabilities on Sept. 19, 2019. He wrote, he did not receive a “fix release date or even a statement that they will fix the vulnerability,” so after 35 days “with no response” he released a proof-of-concept exploit on Oct. 25.

On Nov. 4, researcher Johannes Ullrich, dean of research with the SANS Technology Institute, reported honeypot activity tied to both vulnerabilities.

“I was somewhat surprised that I saw pretty active exploitation of the vulnerability. The exploits came from over 300 different sources at that point, and still kept coming in at a pretty steady pace,” Ullrich wrote.

The researcher said the honeypot analysis suggested that traffic was not generated by security firms or researchers, rather “a botnet is used to scan for the vulnerability, and the origin hosts have been infected themselves.” Scanning hosts appear to be primarily based in China.

“It looks like we got all the pieces in place for a major security issue,” Ullrich said.

Additional research into the rConfig vulnerabilities, published on Sunday, suggest the security issues aren’t limited to rConfig version 3.9.2.

“After reviewing rConfig’s source code, however, I found out that not only rConfig 3.9.2 has those vulnerabilities but also all versions of it,” wrote a researcher by the name of Sudoka. “Furthermore, CVE-2019-16663, the post-auth RCE can be exploited without authentication for all versions before rConfig 3.6.0.”

There are steps for mitigation, however a message left on the rConfig project page is discouraging, Ullrich said. The project’s main website doesn’t appear to be updating and the GitHub repository has a message: “I am no longer fixing bugs on rConfig version 3.x. I will manage PRs.”

Credit : ThreatPost

Hope this article helpful for you. Thank You


If You Appreciate What We Do Here On Hackonology, You Should Consider:

Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.

Let's be a part of Hacker's Community! Join our Hacking Team

We Are Indian We Are Great


Leave a Comment

Your email address will not be published.