FPSA002: Hidden Backdoor Account (Write Access)

Summary

For centralized management, FatPipe uses a user account that allows the current logged in user to access multiple devices from the web management interface of FatPipe software. This was not intended to be used to directly log into the web management interface. Someone can use it to log into the web interface.

Affected Products

WARP, MPVPN, IPVPN

10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).

Details

For centralized management, FatPipe uses a user account that allows the current logged in user to access multiple appliances from the web management interface of FatPipe software. This was not intended to be used to directly log into the web management interface. Someone can use it to log into the web management interface.

While this user account is not displayed in the Users list, the customer has control over the password for this user account. On the Users page, you can set the password in for this user.

FatPipe has released software updates that address this vulnerability. Newer versions of our software do not allow a user to login directly using this user account (see Fixed Software).

Workarounds

Disable "Central Manager Login".

Fixed Software

10.1.2r60p91 or later
10.2.2r42 or later

Source
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php