CVE-2021-27856 Scanner

FatPipe WARP, IPVPN, and MPVPN are network appliances used to facilitate secure data transfer and improve connectivity over wide area networks (WANs). These products are often deployed by enterprises and organizations to enhance internet connectivity and ensure high availability, load balancing, and traffic optimization. The primary audience for these devices is network administrators and IT staff within organizations that require reliable and secure internet performance. The products are capable of supporting various routing protocols and are often used in situations where multiple internet connections are aggregated for improved bandwidth and reliability. They are particularly useful for ensuring business continuity by providing fallback and load-sharing options across different internet service providers.

The vulnerability within FatPipe WARP/IPVPN/MPVPN is classified as Unauthorized Admin Access. It is due to a backdoor account named "cmuser" with administrative privileges that lacks a password. This allows attackers to gain unauthorized access to the system without needing to bypass authentication mechanisms. The vulnerability is critically severe due to its potential for exploitation by attackers to gain full control over the affected devices. It impacts versions prior to 10.1.2r60p91 and 10.2.2r42, posing significant security risks if left unpatched.

The vulnerability can be exploited remotely without authentication by sending a specially crafted request to the login endpoint of the affected appliances. Specifically, the vulnerability lies in the login functionality where the backdoor account can be used to gain administrative privileges, which are executed through the HTTP POST method. The vulnerable endpoint is '/fpui/loginServlet,' and the attacker can exploit the issue by submitting a direct login request using the 'cmuser' account without a password. Exploitation results in unauthorized administrative access to the system.

If this vulnerability is exploited, an attacker could gain full administrative control over the appliance, leading to unauthorized configuration changes, data exfiltration, denial of service, or use of the device as a platform for launching further attacks on the network. It might also allow the attacker to escalate privileges, install malware, intercept or manipulate network traffic, and otherwise compromise the integrity, confidentiality, and availability of the affected systems and any connected resources.

REFERENCES

• https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php
• https://www.fatpipeinc.com/support/advisories.php
• https://www.fatpipeinc.com/support/cve-list.php
• https://www.zeroscience.mk/codes/fatpipe_backdoor.txt