CVE-2020-27464
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary code on rConfig servers by uploading a malicious ZIP file to the insecure /updater.php component. It affects all rConfig installations version 3.9.6 and below. Attackers can gain full control of affected systems without requiring authentication.
💻 Affected Systems
- rConfig
📦 What is this software?
Rconfig by Rconfig
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install backdoors, steal sensitive network configuration data, pivot to other systems, and maintain persistent access.
Likely Case
Attackers gain shell access to the rConfig server, allowing them to modify network device configurations, steal credentials, and use the server as a foothold for further attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to the rConfig server itself, though sensitive configuration data could still be compromised.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. Attackers only need to craft a malicious ZIP file and send it to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.7 and above
Vendor Advisory: https://rconfig.com/download
Restart Required: No
Instructions:
1. Download rConfig version 3.9.7 or later from the official website. 2. Backup your current installation and database. 3. Follow the upgrade instructions in the rConfig documentation. 4. Verify the /updater.php component has been secured or removed.
🔧 Temporary Workarounds
Block access to updater.php
allTemporarily block HTTP access to the vulnerable /updater.php component using web server configuration or firewall rules.
# For Apache: add to .htaccess or virtual host config
<Files "updater.php">
Order allow,deny
Deny from all
</Files>
# For Nginx: add to server block
location ~ /updater\.php$ {
deny all;
return 403;
}
Remove updater.php file
linuxDelete or rename the vulnerable updater.php file to prevent exploitation.
# Backup then remove the file
cp /path/to/rconfig/updater.php /path/to/rconfig/updater.php.backup
rm /path/to/rconfig/updater.php
🧯 If You Can't Patch
- Implement strict network access controls to limit access to rConfig servers to authorized administrators only.
- Deploy a web application firewall (WAF) with rules to block malicious ZIP file uploads and RCE attempts.
🔍 How to Verify
Check if Vulnerable:
Check if /updater.php is accessible via HTTP GET request and if rConfig version is 3.9.6 or below. Also check for presence of vulnerable file: ls -la /path/to/rconfig/updater.phpCheck Version:
grep -r "version" /path/to/rconfig/install/directory/*.php | grep -i "3.9"Verify Fix Applied:
Verify rConfig version is 3.9.7 or higher and that /updater.php either returns 403/404 or has been removed. Test with a benign request to confirm access is blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /updater.php with ZIP file uploads
- Unusual file creation in web directories (especially PHP files)
- Commands executed via web server user (www-data, apache, nginx)
Network Indicators:
- HTTP traffic to /updater.php endpoint
- ZIP file uploads to the rConfig server
- Outbound connections from rConfig server to suspicious IPs
SIEM Query:
source="web_server_logs" AND (uri_path="/updater.php" OR file_extension=".zip") AND status_code=200