Home / About / Threat Intelligence / FatPipe VPN Zero-Day Exploited by APT

Overview

The FBI has warned that a zero-day vulnerability has been exploited by a threat in FatPipe’s virtual private network (VPN) devices to violate companies and gain entry to their internal networks.

Impact

“The flaw allowed advanced persistent threat (APT) actors to take advantage of a file upload function in the device’s firmware to install a WebShell with root access, which led to elevated privileges.”

A vulnerability in the web management interface of FatPipe’s software could allow a remote attacker to upload a file to any location on the filesystem on an affected device.

Affected Products

WARP, MPVPN, IPVPN
All versions prior to the fixed releases:
– 10.1.2r60p93 or later
– 10.2.2r44p1 or later

Mitigation

FatPipe issued a patch and security advisory, FPSA006, on November 16, 2021, that fixes the vulnerability.

System administrators should expedite upgrading their devices and follow additional FatPipe security recommendations regarding the disabling of UI and SSH access from the WAN interface when such access is not required, and to configure Access Control Lists (ACL’s) on interfaces to only allow access from trusted sources.

Indicators of Compromise

– /webapps/fpui/img/1.jsp
– /etc/ssh/sshd_config.bak
– /root/.ssh/authorized_keys.bak
– Search Tomcat access logs, located at /var/log/tomcat/localhost_access_log*, for:
o POST requests to the URL: /fpui/uploadConfigServlet?fileNumber=undefined
o GET requests to the URL, with commands: /fpui/img/1.jsp
– Search SSH access/secure logs under /var/log for successful SSH connections via public key from unknown IP addresses: Accepted publickey for root
– Search wtmp and lastlog files for sessions from unknown IP addresses
– Search Tomcat error logs, located at /var/log/tomcat/catalina*, for the following caught exception: ERROR com.fatpipe.centralm

Threat Landscape

Corporate VPN’s are common targets for threat actors as they facilitate communications from external devices to internal resources. To to this then need to present an interface to the internet which is capable of accepting connection and have a link to the internal network to provide access. Because of the shift to remote working, or to facilitate 3rd party support, an increasing number of management interfaces are being presented to the internet, where are they would typically only have been accessible on internal interfaces. The additional security recommendations provided by FatPipe are valid for other vendor VPNs, and, while not suitable for all instances, consideration could be given to disabling external management interfaces and requiring Multi Factored Authenticated access to the internal network via the VPN in order to access the management console via the internal interface when necessary.

MITRE Methodologies

T1608.002 – Stage Capabilities

Further Information

CVE List FPSA001: Remote Privilege Escalation