CVE-2023-39108
📋 TL;DR
CVE-2023-39108 is a Server-Side Request Forgery (SSRF) vulnerability in rconfig v3.9.4 that allows authenticated attackers to make arbitrary HTTP requests from the vulnerable server. This affects organizations using rconfig v3.9.4 for network device configuration management, potentially exposing internal services to attackers with valid credentials.
💻 Affected Systems
- rconfig
📦 What is this software?
Rconfig by Rconfig
⚠️ Risk & Real-World Impact
Worst Case
Attackers could pivot to internal systems, access cloud metadata services, perform port scanning, or interact with internal APIs leading to data exfiltration or further compromise.
Likely Case
Unauthorized access to internal HTTP services, information disclosure from internal endpoints, or interaction with cloud metadata services if deployed in cloud environments.
If Mitigated
Limited to accessing only whitelisted internal services with proper network segmentation and egress filtering in place.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept demonstrates the SSRF via crafted path_b parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.5 or later
Vendor Advisory: https://github.com/rconfig/rconfig/releases
Restart Required: Yes
Instructions:
1. Backup current rconfig installation and database. 2. Download rconfig v3.9.5 or later from official repository. 3. Replace vulnerable files with patched version. 4. Restart web server and rconfig services. 5. Verify functionality of compare feature.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to reject URLs in path_b parameter
Modify /classes/compareClass.php to validate path_b parameter against allowed local paths only
Network Egress Filtering
linuxRestrict outbound HTTP requests from rconfig server
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Disable the compare functionality in rconfig by removing or restricting access to /classes/compareClass.php
- Implement strict network segmentation to isolate rconfig server from sensitive internal services
🔍 How to Verify
Check if Vulnerable:
Check if running rconfig v3.9.4 by examining version files or web interface footerCheck Version:
grep -r 'version' /var/www/rconfig/ | grep '3.9.4'Verify Fix Applied:
Test compare functionality with external URLs in path_b parameter - should be rejected📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests originating from rconfig server to internal/external endpoints
- Multiple compare operations with unusual path parameters
Network Indicators:
- HTTP traffic from rconfig server to unexpected internal services or external IPs
- Port scanning patterns from rconfig server
SIEM Query:
source="rconfig" AND (path_b CONTAINS "http://" OR path_b CONTAINS "https://")