Critical Remote Code Execution Flaw Found in Open Source rConfig Utility | Threatpost

Two bugs in the network configuration utility rConfig have been identified, both allowing remote code execution on affected systems. Worse, one is rated critical and allows for a user to attack a system remotely – sans authentication.

RConfig is a free open-source configuration management utility used by over 7,000 network engineers to take snapshots of over 7 million network devices, according the project’s website.

The vulnerabilities (CVE-2019-16663, CVE-2019-16662) are both tied to rConfig version 3.9.2. The more serious of the two vulnerabilities (CVE-2019-16662) allows an attacker to execute system commands on affected devices via GET requests, which can lead to command instructions.

“I was able to detect two remote command execution vulnerabilities in two different files, the first one called ‘ajaxServerSettingsChk.php’ file which suffers from an unauthenticated RCE that could triggered by sending a crafted GET request via ‘rootUname’ parameter which is declared in line,” wrote Mohammad Askar, the researcher who discovered the vulnerabilities.

This flaw has the higher CVSS (v3.1) rating of 9.8 out of 10. The second bug (CVE-2019-16663) has a high CVSS (v3.1) rating of 8.8.

“The second vulnerability has been discovered in a file called ‘search.crud.php’ which suffers from an authenticated RCE that could triggered by sending a crafted GET request that contains two parameters,” he wrote.

Askar said he reported both vulnerabilities on Sept. 19, 2019. He wrote, he did not receive a “fix release date or even a statement that they will fix the vulnerability,” so after 35 days “with no response” he released a proof-of-concept exploit on Oct. 25.

On Nov. 4, researcher Johannes Ullrich, dean of research with the SANS Technology Institute, reported honeypot activity tied to both vulnerabilities.

“I was somewhat surprised that I saw pretty active exploitation of the vulnerability. The exploits came from over 300 different sources at that point, and still kept coming in at a pretty steady pace,” Ullrich wrote.

The researcher said the honeypot analysis suggested that traffic was not generated by security firms or researchers, rather “a botnet is used to scan for the vulnerability, and the origin hosts have been infected themselves.” Scanning hosts appear to be primarily based in China.

“It looks like we got all the pieces in place for a major security issue,” Ullrich said.

Additional research into the rConfig vulnerabilities, published on Sunday, suggest the security issues aren’t limited to rConfig version 3.9.2.

“After reviewing rConfig’s source code, however, I found out that not only rConfig 3.9.2 has those vulnerabilities but also all versions of it,” wrote a researcher by the name of Sudoka. “Furthermore, CVE-2019-16663, the post-auth RCE can be exploited without authentication for all versions before rConfig 3.6.0.”

There are steps for mitigation, however a message left on the rConfig project page is discouraging, Ullrich said. The project’s main website doesn’t appear to be updating and the GitHub repository has a message: “I am no longer fixing bugs on rConfig version 3.x. I will manage PRs.”

“My advice: It doesn’t look like rConfig is currently maintained (at leas the version offered for download right now). I would stay away from it,” Ullrich said.

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join an expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.