CVE-2020-10546
published 2020-06-04CVE-2020-10546: rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.33%
99.7th percentile
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rconfig | rconfig | <= 3.9.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/compliancepolicies.inc.php?search=True&searchColumn=policyName&searchOption=contains&searchField=antani'+union+select+(select+concat(0x223e3c42523e5b70726f6a6563742d646973636f766572795d)+limit+0,1),NULL,NULL+--+
snort
ET EXPLOIT rConfig [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT rConfig < 3.9.7 SQLi (CVE-2020-10546)"; flow:established,to_server; http.uri; content:"/compliancepolicies.inc.php"; nocase; fast_pattern; content:"searchOption=contains"; content:"searchField=antani"; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,github.com/theguly/exploits/blob/master/CVE-2020-10546.py; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-10546; classtype:attempted-admin; sid:2033639; rev:2; metadata:attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_10546, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_08_02;)
bytes
0x223e3c42523e5b70726f6a6563742d646973636f766572795d
- →Exploit requests target /compliancepolicies.inc.php with GET parameters: search=True, searchColumn=policyName, searchOption=contains, and a SQLi payload in searchField (e.g. 'antani' followed by UNION SELECT). Alert on co-occurrence of these parameters in a single HTTP URI.
- →The Nuclei PoC probe injects a UNION SELECT payload that returns the canary string '[project-discovery]' in the HTTP response body. Detecting this string in responses to /compliancepolicies.inc.php indicates successful blind-union SQLi exploitation.
- →The Snort/ET rule uses a PCRE to catch common SQL keywords (UNION SELECT, UPDATE SET, DELETE FROM, INSERT INTO, SHOW TABLES, EXEC, inline comments /*…*/) in the URI query string of requests to the vulnerable endpoint. Use this regex as a WAF or IDS pattern.
- →Shodan/FOFA/Google dork can be used to identify exposed rConfig instances as attack surface: search for HTTP title 'rconfig'.
- →The vulnerability is unauthenticated — no session cookie or credentials are required. Any HTTP GET to /compliancepolicies.inc.php with SQL metacharacters in searchField should be treated as a high-confidence attack attempt. ↗
- ·The ET Snort rule (sid:2033639) requires SSL/TLS decryption to be effective against HTTPS-protected rConfig deployments, as indicated by the 'deployment SSLDecrypt' metadata tag.
- ·Node passwords in rConfig are stored in cleartext by default, meaning successful SQLi exploitation directly yields usable credentials for lateral movement to monitored network devices. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9xcw-ph39-7c5x: rConfig 3
ghsa_unreviewed·2022-05-24
CVE-2020-10546 [HIGH] CWE-89 GHSA-9xcw-ph39-7c5x: rConfig 3
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
VulnCheck
rConfig rConfig Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-10546 [CRITICAL] rConfig rConfig Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
rConfig rConfig Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Affected: rConfig rConfig
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2020-10546; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-17&h
Suricata
ET EXPLOIT rConfig < 3.9.7 SQLi (CVE-2020-10546)
suricata·2021-08-02·CVSS 9.8
CVE-2020-10546 [CRITICAL] ET EXPLOIT rConfig < 3.9.7 SQLi (CVE-2020-10546)
ET EXPLOIT rConfig [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT rConfig < 3.9.7 SQLi (CVE-2020-10546)"; flow:established,to_server; http.uri; content:"/compliancepolicies.inc.php"; nocase; fast_pattern; content:"searchOption=contains"; content:"searchField=antani"; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,github.com/theguly/exploits/blob/master/CVE-2020-10546.py; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-10546; classtype:attempted-admin; sid:2033639; rev:2; metadata:attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_10546, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Ma
Nuclei
rConfig 3.9.4 - SQL Injection
nuclei·CVSS 9.8
CVE-2020-10546 [CRITICAL] rConfig 3.9.4 - SQL Injection
rConfig 3.9.4 - SQL Injection
rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
Template:
id: CVE-2020-10546
info:
name: rConfig 3.9.4 - SQL Injection
author: madrobot
severity: critical
description: rConfig 3.9.4 and previous versions have unauthenticated compliancepolicies.inc.php SQL injection. Because nodes' passwords are stored in cleartext by default, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary SQL queries, potential
No writeups or analysis indexed.
2020-06-04
Published
Exploited in the wild