CVE-2022-31125
📋 TL;DR
CVE-2022-31125 is an authentication bypass vulnerability in Roxy-wi web interface that allows unauthenticated remote attackers to access administrative functionality. This affects all Roxy-wi installations before version 6.1.1.0, potentially exposing management of Haproxy, Nginx, Apache, and Keepalived servers to unauthorized control.
💻 Affected Systems
- Roxy-wi
📦 What is this software?
Roxy Wi by Roxy Wi
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of managed servers allowing configuration changes, service disruption, data exposure, and potential lateral movement to backend systems.
Likely Case
Unauthorized administrative access leading to configuration tampering, service disruption, and potential credential harvesting from managed systems.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to Roxy-wi interface.
🎯 Exploit Status
Exploitation requires sending a specially crafted HTTP request. Public exploit code is available in the Packet Storm references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.1.0
Vendor Advisory: https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-hr76-3hxp-5mm3
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Stop Roxy-wi service. 3. Update to version 6.1.1.0 or later. 4. Restart Roxy-wi service. 5. Verify authentication is working properly.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Roxy-wi interface using firewall rules
iptables -A INPUT -p tcp --dport [roxy-wi-port] -s [trusted-ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [roxy-wi-port] -j DROP
🧯 If You Can't Patch
- Immediately restrict network access to Roxy-wi interface using firewall rules to only allow trusted IP addresses
- Monitor authentication logs for suspicious activity and implement additional authentication layer (reverse proxy with auth)
🔍 How to Verify
Check if Vulnerable:
Check Roxy-wi version. If version is below 6.1.1.0, the system is vulnerable.Check Version:
Check the Roxy-wi web interface footer or configuration files for version informationVerify Fix Applied:
After updating to 6.1.1.0 or later, verify that authentication is required for all administrative functions and test with unauthenticated requests.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access to admin endpoints
- Authentication bypass attempts
- Admin actions from unauthenticated IPs
Network Indicators:
- HTTP requests to admin endpoints without authentication headers
- Unusual pattern of requests to authentication endpoints
SIEM Query:
source="roxy-wi" AND (url="*/admin/*" OR url="*/config/*") AND NOT (user!="" OR auth_success="true")🔗 References
- http://packetstormsecurity.com/files/171648/Roxy-WI-6.1.0.0-Improper-Authentication-Control.html
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-hr76-3hxp-5mm3
- http://packetstormsecurity.com/files/171648/Roxy-WI-6.1.0.0-Improper-Authentication-Control.html
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-hr76-3hxp-5mm3
