FPSA003: Unauthenticated Config Download

Summary

A user is able to create and download a backup file containing the FatPipe device's configuration using the web management interface of FatPipe software. A vulnerability exists where an unauthenticated user can access the backup file on the system.

Affected Products

WARP, MPVPN, IPVPN

10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).

Details

A user is able to create and download a backup file containing the FatPipe device's configuration using the web management interface of FatPipe software. A vulnerability exists where an unauthenticated user can access the backup file on the system.

FatPipe has released software updates that address this vulnerability.

Workarounds

There are no workarounds that address this vulnerability. To mitigate the vulnerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.

Fixed Software

10.1.2r60p91 or later
10.2.2r42 or later

Source
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php