Zero-day vulnerability in FatPipe SD-WAN solutions allows uploading malicious files to affected servers

The Federal Bureau of Investigation (FBI) issued a statement warning about the detection of a zero-day vulnerability in FatPipe products, which has been actively exploited for much of 2021. The company confirmed that the affected products are WARP, MPVPN, and IPVPN devices.

Apparently, the vulnerability exists due to the absence of input verification and validation for certain HTTP requests, allowing threat actors to send specially crafted HTTP requests to a vulnerable device. FatPipe says the error resides in its web management interface and could be exploited to upload files to any location on the file system. The flaw has not yet received a CVE tracking key or been assigned a score under the Common Vulnerability Scoring System (CVSS).

The Agency notes that threat actors have exploited this flaw in order to inject a webshell that provides root access to a vulnerable device. According to the FBI, these attacks functioned as a starting point towards subsequent malicious activities: “Threat actors would have exploited this SSH access to route malicious traffic through the compromised devices,” the researchers note.

Finally, the threat actors performed a debugging of the affected systems in order to gain persistence and continue operating without being detected.

FatPipe has confirmed that the flaw was successfully addressed, so warp, MPVPN and IPVPN users are advised to upgrade to versions 10.1.2r60p93 and 10.2.2r44p1 of the software with which these devices operate.

At the moment alternative solutions to this flaw are unknown, although some experts mention that disabling UI access in WAN interfaces and configuring access lists in the web interface could be functional mitigation methods; still, applying official updates remains the top security recommendation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.