Remote Code Execution Vulnerabilities (CVSS Rating 9.8 and 8.8) Found in rConfig

Two critical vulnerabilities have been found in the network configuration utility rConfig, the free open-source configuration management utility which is used by more than 7,300 network engineers across 3.3 million devices.

Both flaws (CVE-2019-16662 and CVE-2019-16663) allow remote code execution on affected systems, while the first one (CVE-2019-16662, CVSS rating 9.8) allows an attacker to operate remotely and without authentication.

"I was able two detect two remote command execution vulnerabilities in two different files, the first one called 'ajaxServerSettingsChk.php' file which suffers from an unauthenticated RCE that could triggered by sending a crafted GET request via 'rootUname' parameter," said Mohammad Askar, the researcher who discovered the vulnerabilities.

As for the second vulnerability (CVE-2019-16663, CVSS rating 8.8), Askar says it "has been discovered in a file called 'search.crud.php' which suffers from an authenticated RCE that could triggered by sending a crafted GET request that contains two parameters."

In order to exploit both vulnerabilities, Askar wrote what he described as a "simple python code" for each flaw.

The researcher reported both vulnerabilities to the rConfig main developer on September 19. However, he didn't get a fix release date or even a statement that they would fix the vulnerability, so, after 35 days without a response, he released the exploits.

It's recommended that administrators using rConfig should uninstall the software until fixes for the flaws are released.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.