FatPipe Networks WARP 10.2.2 Authorization Bypass

Medium

Advisory ID

ZSL-2021-5682

Release Date

27 September 2021

Vendor

FatPipe Networks Inc. - https://www.fatpipeinc.com

Affected Version

WARP, 10.2.2r38, 10.2.2r25, 10.2.2r10, 10.1.2r60p82, 10.1.2r60p71, 10.1.2r60p65, 10.1.2r60p58s1, 10.1.2r60p58, 10.1.2r60p55, 10.1.2r60p45, 10.1.2r60p35, 10.1.2r60p32, 10.1.2r60p13, 10.1.2r60p10, 9.1.2r185, 9.1.2r180p2, 9.1.2r165, 9.1.2r164p5, 9.1.2r164p4, 9.1.2r164, 9.1.2r161p26, 9.1.2r161p20, 9.1.2r161p17, 9.1.2r161p16, 9.1.2r161p12, 9.1.2r161p3, 9.1.2r161p2, 9.1.2r156, 9.1.2r150, 9.1.2r144, 9.1.2r129, 7.1.2r39, 6.1.2r70p75-m, 6.1.2r70p45-m, 6.1.2r70p26, 5.2.0r34

CVE

Tested On

Apache-Coyote/1.1

Summary

FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail.

Description

Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.

Proof of Concept

fatpipe_auth.txtTXT

Disclosure Timeline

30.05.2016Vulnerability discovered.

25.07.2021Vulnerability discovered.

25.07.2021Vendor contacted.

27.07.2021No response from the vendor.

28.07.2021Vendor contacted.

06.08.2021No response from the vendor.

07.08.2021Vendor contacted.

09.08.2021CISA contacted.

09.08.2021CISA asks for more details.

09.08.2021Sent details to CISA.

10.08.2021CISA asked if the vulnerabilities were previously reported and which contacts did ZSL used initially.

10.08.2021Replied to CISA.

10.08.2021CISA will reach out to the vendor.

16.08.2021Asked CISA for status update.

17.08.2021CISA responds that the vendor replied and is reviewing the information.

17.08.2021CISA responds, vendor pushed updates to address the reported issues.

17.08.2021Replied to CISA, asked for patch release plan and coordination of advisory release.

18.08.2021Working with CISA and FatPipe.

20.08.2021Vendor released advisory: https://www.fatpipeinc.com/support/advisories.php

23.08.2021Working with the vendor.

24.08.2021Sent draft advisories to vendor. Asked for fixed version number. Informed that the advisories will be released mid September.

25.08.2021Asked vendor for confirmation of PoCs receipt.

30.08.2021Further discussion with the vendor about the vulnerabilities.

07.09.2021Asked vendor for status update.

10.09.2021Vendor requests more details.

10.09.2021Provided further details to the vendor.

14.09.2021Informed the vendor that advisories will be released 27th September.

19.09.2021Informed CISA about our release plan.

27.09.2021Coordinated public security advisory released.

27.09.2021Vendor provides fixed versions 10.1.2r60p92 and 10.2.2r43, and for 9.1.2: 9.1.2r161p31 and 9.1.2r180p9.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.fatpipeinc.com/support/advisories.php

[2]https://www.exploit-db.com/exploits/50339

[3]https://packetstormsecurity.com/files/164320/FatPipe-Networks-WARP-10.2.2-Authorization-Bypass.html

[4]https://cxsecurity.com/issue/WLB-2021090143

[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/210327

[6]https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/

[7]https://www.fatpipeinc.com/support/cve-list.php

[8]https://thehackernews.com/2021/11/fbi-issues-flash-alert-on-actively.html

[9]https://www.ic3.gov/Media/News/2021/211117-2.pdf

[10]https://threatpost.com/fbi-fatpipe-vpn-zero-day-exploited-apt/176453/

[11]https://cisomag.eccouncil.org/fatpipe-mpvpn-zero-day-vulnerability-exploited/

[12]https://www.securityweek.com/fbi-warns-actively-exploited-fatpipe-zero-day-vulnerability

[13]https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27858

[14]https://www.fatpipeinc.com/fpsa/fpsa004.php

Changelog

27.09.2021Initial release

30.09.2021Added reference [2], [3], [4], [5] and [6]

21.11.2021Added reference [7], [8], [9], [10], [11] and [12]

11.01.2022Added reference [13]

01.02.2022Added reference [14]