Critical Remote Code Execution Flaw Found in Open Source rConfig Utility

[silversurfer]

Content source

https://threatpost.com/critical-rce-flaw-in-rconfig/149847/

Two bugs in the network configuration utility rConfig have been identified, both allowing remote code execution on affected systems. Worse, one is rated critical and allows for a user to attack a system remotely – sans authentication.

RConfig is a free open-source configuration management utility used by over 7,000 network engineers to take snapshots of over 7 million network devices, according the project’s website.

The vulnerabilities (CVE-2019-16663, CVE-2019-16662) are both tied to rConfig version 3.9.2. The more serious of the two vulnerabilities (CVE-2019-16662) allows an attacker to execute system commands on affected devices via GET requests, which can lead to command instructions.

Critical Remote Code Execution Flaw Found in Open Source rConfig Utility

The network configuration management utility has two unpatched critical remote code execution vulnerabilities.

threatpost.com

 

[upnorth]

“After reviewing rConfig’s source code, however, I found out that not only rConfig 3.9.2 has those vulnerabilities but also all versions of it,” wrote a researcher by the name of Sudoka. “Furthermore, CVE-2019-16663, the post-auth RCE can be exploited without authentication for all versions before rConfig 3.6.0.” There are steps for mitigation, however a message left on the rConfig project page is discouraging, Ullrich said. The project’s main website doesn’t appear to be updating and the GitHub repository has a message: “I am no longer fixing bugs on rConfig version 3.x. I will manage PRs.”

“My advice: It doesn’t look like rConfig is currently maintained (at leas the version offered for download right now). I would stay away from it,” Ullrich said.