FatPipe Networks WARP 10.2.2 Authorization Bypass

Title: FatPipe Networks WARP 10.2.2 Authorization Bypass
Advisory ID: ZSL-2021-5682
Type: Local/Remote
Impact: Security Bypass
Risk: (3/5)
Release Date: 27.09.2021
Summary
FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail.
Description
Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.
Vendor
FatPipe Networks Inc. - https://www.fatpipeinc.com
Affected Version
WARP
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Tested On
Apache-Coyote/1.1
Vendor Status
[30.05.2016] Vulnerability discovered.
[25.07.2021] Vulnerability discovered.
[25.07.2021] Vendor contacted.
[27.07.2021] No response from the vendor.
[28.07.2021] Vendor contacted.
[06.08.2021] No response from the vendor.
[07.08.2021] Vendor contacted.
[09.08.2021] CISA contacted.
[09.08.2021] CISA asks for more details.
[09.08.2021] Sent details to CISA.
[10.08.2021] CISA asked if the vulnerabilities were previously reported and which contacts did ZSL used initially.
[10.08.2021] Replied to CISA.
[10.08.2021] CISA will reach out to the vendor.
[16.08.2021] Asked CISA for status update.
[17.08.2021] CISA responds that the vendor replied and is reviewing the information.
[17.08.2021] CISA responds, vendor pushed updates to address the reported issues.
[17.08.2021] Replied to CISA, asked for patch release plan and coordination of advisory release.
[18.08.2021] Working with CISA and FatPipe.
[20.08.2021] Vendor released advisory: https://www.fatpipeinc.com/support/advisories.php
[23.08.2021] Working with the vendor.
[24.08.2021] Sent draft advisories to vendor. Asked for fixed version number. Informed that the advisories will be released mid September.
[25.08.2021] Asked vendor for confirmation of PoCs receipt.
[30.08.2021] Further discussion with the vendor about the vulnerabilities.
[07.09.2021] Asked vendor for status update.
[10.09.2021] Vendor requests more details.
[10.09.2021] Provided further details to the vendor.
[14.09.2021] Informed the vendor that advisories will be released 27th September.
[19.09.2021] Informed CISA about our release plan.
[27.09.2021] Coordinated public security advisory released.
[27.09.2021] Vendor provides fixed versions 10.1.2r60p92 and 10.2.2r43, and for 9.1.2: 9.1.2r161p31 and 9.1.2r180p9.
PoC
fatpipe_auth.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.fatpipeinc.com/support/advisories.php
[2] https://www.exploit-db.com/exploits/50339
[3] https://packetstormsecurity.com/files/164320/FatPipe-Networks-WARP-10.2.2-Authorization-Bypass.html
[4] https://cxsecurity.com/issue/WLB-2021090143
[5] https://exchange.xforce.ibmcloud.com/vulnerabilities/210327
[6] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/
[7] https://www.fatpipeinc.com/support/cve-list.php
[8] https://thehackernews.com/2021/11/fbi-issues-flash-alert-on-actively.html
[9] https://www.ic3.gov/Media/News/2021/211117-2.pdf
[10] https://threatpost.com/fbi-fatpipe-vpn-zero-day-exploited-apt/176453/
[11] https://cisomag.eccouncil.org/fatpipe-mpvpn-zero-day-vulnerability-exploited/
[12] https://www.securityweek.com/fbi-warns-actively-exploited-fatpipe-zero-day-vulnerability
[13] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27858
[14] https://www.fatpipeinc.com/fpsa/fpsa004.php
Changelog
[27.09.2021] - Initial release
[30.09.2021] - Added reference [2], [3], [4], [5] and [6]
[21.11.2021] - Added reference [7], [8], [9], [10], [11] and [12]
[11.01.2022] - Added reference [13]
[01.02.2022] - Added reference [14]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk