Patch now! FatPipe VPN zero-day actively exploited

Patch now! FatPipe VPN zero-day actively exploited

According to its marketing team, a FatPipe MPVPN can make your VPN “900% more secure.” Well, I don’t know about that, but I do know a way to make your MPVPN admin console 100% more secure, and that you should do so right away, by installing the latest version of its software.

Why? Because older versions of the device software used by FatPipe’s MPVPN, WARP, and IPVPN products, are all vunerable to a serious zero-day exploit that has been actively exploited in the wild for at least six months. FatPipe advises that versions 10.1.2r60p93 and 10.2.2r44p1 of its software, or later, are the ones you need.

If you are unable to update immediately, FatPipe recommends you cut off access to your admin console from the Internet at large: “disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.”

The vulnerability

Like a lot of security and administration software, FatPipe’s MPVPN is configured and controlled through a web-based administration portal, which is just another way of saying “website”.

FatPipe describes the vulnerability in its software’s administration website as a “lack of input and validation checking mechanisms for certain HTTP requests”. It goes on to say “an attacker could exploit this vulnerability by sending a modified HTTP request to the affected device”.

That simple POST request could “allow a remote attacker to upload a file to any location on the filesystem on an affected device.” But FatPipe says could, and the FBI says did. According to the agency, a recent forensic analysis has revealed that Advanced Persistent Threat (APT) actors (plural) have been abusing the flaw since May 2021.

Input validation is website security 101, and the attack as described by the FBI is very simple. The Persistent Threat groups that carried out the attacks may have been be Advanced, but the exploit they used was not.

The exploitation

The FBI says that “The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity.”

There’s a lot going on in that one sentence. Let’s break down what it means:

The FBI says the APT groups gained access to an “unrestricted file upload function,” meaning that the attackers were able to add files to a server running the admin console for some FatPipe software. Attackers should obviously not be able to simply add their files to your servers.

For this attack to work, the APT actors only needed to add one file: A web shell, at /fpui/img/1.jsp. A web shell is a type of malicious script that turns an attacker’s ability to add a file to your server into an ability to do whatever they want on your server. The attackers simply send the web shell the commands they’d like your machine to run, and it runs them.

The shell can only run with whatever restricted permissions it inherits from the web server it’s added to, but in this case it seems as if there were no restrictions. The FBI’s description suggests that the web shell enjoyed root-level (administrator) access from the get go.

Free to do whatever they wanted with their web shells, the attackers opted to overwrite the machines’ Secure Shell (SSH) configuration, so they could use the same method of remote access as the machine’s legitimate administrators. The FBI says the APT groups then used the compromised FatPipe servers as bridgeheads to “route malicious traffic through the device and target additional U.S. infrastructure”.

If you want to check your system for signs of exploitation, the FBI alert contains a full list of Indicators of Compromise (IoCs). It also notes that the APT actors were careful to clean up after themselves, and so the agency would love to hear from you if you can add anything to its understanding of these attacks.

What is going on with security admin software?

It is a shock, but not a surprise, to read about an easily exploited flaw in an Internet-facing administration console for a security product in 2021. A shock because the whys and wherefores of securing websites—and the central importance of treating any kind of input as hostile unless proven otherwise—has been very well understood for decades. But it’s not a surprise because criminals exploiting basic flaws like authentication bypasses or input validation errors in security products like VPNs has been a running theme for several years now.

In a recent episode of Malwarebyte’s Lock and Code podcast, host David Ruiz interviewed Victor Gevers, chair of the Dutch Institute for Vulnerability Disclosure (DIVD), about July’s enormous Kaseya ransomware attack. Gevers explains that his team had been racing against time to get several zero-day vulnerabilities in Kaseya VSA fixed at the time of the attack, and that one of those zero-days was in fact used by the ransomware gang.

Gevers also revealed that the problems his team discovered in Kaseya VSA were not unusual. The vulnerabilities were uncovered during a much broader investigation which revealed a worrying trend—that Internet-facing remote administration tools are rife with flaws.

You can learn more about what Gevers and his team discovered in the podcast episode below.