Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2019-16662

Disclosure Date: October 28, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered in rConfig 3.9.2. An attacker can directly execute system commands by sending a GET request to ajaxServerSettingsChk.php because the rootUname parameter is passed to the exec function without filtering, which can lead to command execution.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Purportedly, this affects versions of rConfig prior to 3.9.2, as well. rConfig installation leaves files lying around, asking the user to clean them up. If the user doesn’t take this step, then an attacker can use the ajaxServerSettingsChk.php file (leftover from installation) to gain unauthenticated command execution as the web server user. Chain this with a local privilege escalation, and things can go from bad to worse for the target…

One can remediate this by removing all files from the rConfig installation directory.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

rConfig reports almost 3.5 million devices managed by this utility. A search of Shodan reveals there are several dozen instances exposed directly to the internet on a vulnerable version.

This exploit allows RCE on the host. If you can gain host access you can read the database keys in ./config/config.inc.php and then access the database.

By design the database contains the details for all of your network devices. It also contains clear text credentials for access to these devices.

MariaDB [rconfig]> select deviceUsername, deviceName, devicePassword, deviceEnablePassword, deviceIpAddr from nodes;

+----------------+------------+----------------+----------------------+--------------+

| deviceUsername | deviceName | devicePassword | deviceEnablePassword | deviceIpAddr |

+----------------+------------+----------------+----------------------+--------------+

| admin          | Primary    | password       | password             | 10.10.10.10  |

+----------------+------------+----------------+----------------------+--------------+

1 row in set (0.00 sec)



MariaDB [rconfig]> 

This then permits any attacker to gain access to a wide range of internal network devices.
As rConfig is typically seen to access these devices it is easy for an attacker to hide amongst the background noise.

General Information

Technical Analysis