A team of information security awareness specialists has released a report on the detection of 4 vulnerabilities in rConfig, the popular open source network device configuration management utility. According to the report, successful exploitation of these flaws would allow threat actors to perform SQL injections, remote code injections, among other attacks.
Below is a brief description of the reported flaws, in addition to their respective scores and tracking keys according to the Common Vulnerability Scoring System (CVSS).
CVE-2020-15712: An input validation error when processing streams allows threat actors to perform directory attacks by sending specially crafted HTTP requests. The vulnerability received a score of 6/10 on the CVSS scale, information security awareness specialists mentioned.
CVE-2020-15713: Insufficient disinfection of user-provided data through the “sortBy” parameter in “devices.php” would allow threat actors to execute arbitrary SQL queries against the target database.
The vulnerability received a score of 7.7/10 and its successful exploitation would allow deploying phishing attacks, malware infections, among others.
CVE-2020-15714: Insufficient disinfection of data passed through the “custom_Location” parameter in “devices.crud.php” allows authenticated attackers to perform arbitrary SQL queries on the target database.
Like the previous case, this vulnerability received a score of 7.7/10 on the CVSS scale.
CVE-2020-15715: Incorrect input validation passed through the “nodeId” parameter in the “search.crud.php” script would allow threat actors to execute arbitrary code on the target system.
The vulnerability received a score of 7.7/10, information security awareness specialists mentioned.
Although the flaws could be exploited remotely by unauthenticated threat actors, specialists report that no attempts at active exploitation have been detected. Updates are now available, so affected deployment administrators should install patches as soon as possible.
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.