FPSA006: Config Upload Exploit
Summary
A vulnerability in the web management interface of FatPipe software could allow a remote attacker to upload a file to any location on the filesystem on an affected device.
Affected Products
WARP, MPVPN, IPVPN
Version 10 prior to the fixed releases (see Fixed Software). Version 9 is not affected by this vulnerability.
Details
A vulnerability in the web management interface of FatPipe software could allow a remote attacker to upload a file to any location on the filesystem on an affected device.
The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device.
FatPipe has released software updates that address this vulnerability.
Workarounds
There are no workarounds that address this vulnerability. To mitigate the vulnerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources..
Fixed Software
10.1.2r60p92 or later
10.2.2r44p1 or later
Source
Found by code review after being made aware of active exploit activity.