Critical Remote Code Execution Flaw Found in Open Source rConfig Utility
A security researcher has discovered two remote code execution vulnerabilities, one of which is deemed critical, in the open-source network configuration tool rConfig that thousands of network engineers are using to snapshots of more than 7 million network devices.
The critical flaw, tracked as CVE-2019-16662, makes it possible for a threat actor to remotely execute system commands on vulnerable machines via specially crafted GET requests. No authentication is required. The second issue, tracked as CVE-2019-16663, works similarly, although exploitation of this flaw requires authentication. The researcher disclosed the two vulnerabilities in September, but did not receive a response, prompting him to release a proof-of-concept exploit in late October. Earlier this week, a researcher with the SANS Technology Institute detected attacks trying to exploit the two flaws.