Zero-Day flaw in FatPipe products actively exploited, FBI warns

The FBI is warning of a zero-day vulnerability in FatPipe products that has been under active exploitation since at least May 2021.

FatPipe Software-Defined Wide Area Networking (SD-WAN) products provide solutions for an easy migration to Hybrid WAN. FatPipe delivers companies the ability to centrally manage their wide area network, manage branch office configurations, and deploy appliances with zero-touch installation.

The FBI is now warning of a zero-day vulnerability in FatPipe products actively exploited in the wild since at least May 2021. The flaw resides in the web management interface of FatPipe software.

An attacker can exploit the vulnerability to send modified HTTP requests to a vulnerable device and upload files to any location on the filesystem. The issue is due to the lack of input and validation check for certain HTTP requests.

“A vulnerability in the web management interface of FatPipe software could allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an Administrator user on an affected device.” reads the advisory published by the company. “The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device. An exploit could allow the attacker as a read-only user to execute functions as if they were an administrative user.”

The vulnerability affects WARP, MPVPN, IPVPN products 10.1.2 and 10.2.2 versions prior to release with the fix (see Fixed Software). The vulnerability was addressed with the release of FatPipe WARP, MPVPN, and IPVPN software versions 10.1.2r60p93 and 10.2.2r44p1.

FatPipe already released software updates to address this vulnerability, it also explained that there are no workarounds that address this vulnerability. To mitigate the issue the company recommends disabling UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.

“As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN® device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.” reads the FBI’s alert.

Federal experts observed that while the webshell was available, the threat actors used the new SSH access to route malicious traffic through the device and target additional U.S. infrastructure.

Upon exploiting the flaw, the attackers used cleanup scripts to remove traces of their activity.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FatPipe)

[adrotate banner=”5″]

[adrotate banner=”13″]