Zero-day vulnerability found in FatPipe VPN, already in use for 6 months: also present in FatPipe IPVPN and WARP

The U.S. Federal Bureau of Investigation announced today that it has discovered an Advanced Persistent Threat (APT) that exploits a zero-day vulnerability in FatPipe network equipment as a means to gain access to internal networks.

The Federal Bureau of Investigation has discovered an APT (Advanced Persistent Threat) that exploits a zero-day vulnerability in FatPipe network equipment as a means to gain access to the internal network.

FBI Forensic Analysis Reveals Zero-Day Vulnerability Exploited in FatPipe MPVPN Device Software Since at Least May 2021

According to the FBI, this vulnerability allowed the hacking group to exploit the file upload feature of the device’s firmware and install a web shell with root access.

According to the FBI, hackers only took advantage of this zero-day against FatPipe MPVPN devices, but the vulnerability also affects other products such as IPVPN and WARP.

https://www.fatpipeinc.com/ products/mpvpn/index.php

All of these products work as different types of VPNs that companies can install at the perimeter of their network to allow employees to remotely access internal applications over the Internet.

According to the FBI, the zero-day they discovered during their investigation does not currently have its own CVE identifier.

FatPipe has released a patch and additional information via an internal security advisory tracked as FPSA006.

https://www.fatpipeinc.com/ support/cve-list.php

According to the company, by exploiting the newly discovered vulnerability to overwrite a device’s configuration file, an attacker could gain full control of an unpatched system.

According to Shodan’s search, there are currently about 800 FatPipe MPVPN devices available on the Internet.

We are releasing an IOC (indicator of compromise) and YARA signature that IT and security departments can use to see if the FatPipe system has been hacked and to detect the intruder’s web shell

https://www.ic3.gov/Media/News /2021/211117-2.pdf

FatPipe has now joined the list of network equipment manufacturers whose systems have been exploited in cyber intrusions.

FatPipe joins a growing list of network equipment manufacturers whose systems were exploited in the cyber intrusion, including Cisco, Microsoft, Oracle, F5 Networks, Palo Alto Networks, Fortinet, and Citrix.

Attacks targeting network devices such as firewalls, VPN servers, network gateways, and load balancers spiked during the COVID-19 pandemic.

This is because attackers have realized that these devices are installed in almost all large enterprise and government networks as a means for remote workers to connect to internal applications, and can be actively used in attacks.

Summary of this vulnerability

A vulnerability in the web administration interface of the FatPipe software could allow an authenticated, remote attacker with read-only privileges to escalate privileges to the level of an Administrator user on a vulnerable device.

Products Affected

warp, mpvpn, ipvpn: 10.1.2 and 10.2.2 and earlier versions

Details of this vulnerability

This vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on the affected device. An attacker can exploit this vulnerability by sending a modified HTTP request to the affected device. Once exploited, an attacker who is a read-only user can perform functions as if they were an administrative user.

FatPipe has released a software update to address this vulnerability.

Workaround

There is no workaround for this vulnerability. To avoid the vulnerability, disable UI access on all WAN interfaces, or set up an access list on the interface page to allow access only from trusted sources.

Leave a Reply

Your email address will not be published.