Headline
CVE-2021-27860: Technical Support - FatPipe Networks
A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 could allow a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006.
CVE List
FPSA001: Remote Privilege Escalation
Summary
A vulnerability in the web management interface of FatPipe software could allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an Administrator user on an affected device.
Affected Products
WARP, MPVPN, IPVPN
10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).
Details
A vulnerability in the web management interface of FatPipe software could allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an Administrator user on an affected device.
The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device. An exploit could allow the attacker as a read-only user to execute functions as if they were an administrative user.
FatPipe has released software updates that address this vulnerability.
Workarounds
There are no workarounds that address this vulnerability. To mitigate the vulnerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.
Fixed Software
10.1.2r60p91 or later
10.2.2r42 or later
Source
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php
FPSA002: Hidden Backdoor Account (Write Access)
Summary
For centralized management, FatPipe uses a user account that allows the current logged in user to access multiple devices from the web management interface of FatPipe software. This was not intended to be used to directly log into the web management interface. Someone can use it to log into the web interface.
Affected Products
WARP, MPVPN, IPVPN
10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).
Details
For centralized management, FatPipe uses a user account that allows the current logged in user to access multiple appliances from the web management interface of FatPipe software. This was not intended to be used to directly log into the web management interface. Someone can use it to log into the web management interface.
While this user account is not displayed in the Users list, the customer has control over the password for this user account. On the Users page, you can set the password in for this user.
FatPipe has released software updates that address this vulnerability. Newer versions of our software do not allow a user to login directly using this user account (see Fixed Software).
Workarounds
Disable "Central Manager Login".
Fixed Software
10.1.2r60p91 or later
10.2.2r42 or later
Source
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
FPSA003: Unauthenticated Config Download
Summary
A user is able to create and download a backup file containing the FatPipe device’s configuration using the web management interface of FatPipe software. A vulnerability exists where an unauthenticated user can access the backup file on the system.
Affected Products
WARP, MPVPN, IPVPN
10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).
Details
A user is able to create and download a backup file containing the FatPipe device’s configuration using the web management interface of FatPipe software. A vulnerability exists where an unauthenticated user can access the backup file on the system.
FatPipe has released software updates that address this vulnerability.
Workarounds
There are no workarounds that address this vulnerability. To mitigate the vulnerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.
Fixed Software
10.1.2r60p91 or later
10.2.2r42 or later
Source
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php
FPSA004: Authorization Bypass
Summary
Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.
Affected Products
WARP
10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).
Details
Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.
Workarounds
There are no workarounds that address this vulnerability. To mitigate the vulnerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.
Fixed Software
10.1.2r60p91 or later
10.2.2r42 or later
Source
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php
FPSA005: CSRF Add Admin Exploit
Summary
A vulnerability in the web management interface of FatPipe software could allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an Administrator user on an affected device by adding a user with Administrator privileges.
Affected Products
WARP, MPVPN, IPVPN
10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).
Details
A vulnerability in the web management interface of FatPipe software could allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an Administrator user on an affected device by adding a user with Administrator privileges.
The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device. An exploit could allow the attacker as a read-only user to execute functions as if they were an administrative user.
FatPipe has released software updates that address this vulnerability.
Workarounds
There are no workarounds that address this vulnerability. To mitigate the vulnerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.
Fixed Software
10.1.2r60p91 or later
10.2.2r42 or later
Source
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php
FPSA006: Config Upload Exploit
Summary
A vulnerability in the web management interface of FatPipe software could allow a remote attacker to upload a file to any location on the filesystem on an affected device.
Affected Products
WARP, MPVPN, IPVPN
All versions prior to the fixed releases (see Fixed Software).
Details
A vulnerability in the web management interface of FatPipe software could allow a remote attacker to upload a file to any location on the filesystem on an affected device.
The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device.
FatPipe has released software updates that address this vulnerability.
Workarounds
There are no workarounds that address this vulnerability. To mitigate the vlunerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources…
Fixed Software
10.1.2r60p92 or later
10.2.2r44p1 or later
Source
Found by code review after being made aware of active exploit activity.