daloRADIUS Web Management RCE
SonicWall Capture Labs Threat Research Team has observed the following threat:
daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and integrates with GoogleMaps for geo-locating.
A remote code execution vulnerability has been reported for daloRADIUS. The vulnerability is due to improper sanitation on user controlled input during the update configuration process.
A remote, authenticated attacker can exploit this vulnerability by initiating a POST request to the target server. Successful exploitation could result in the execution of arbitrary commands in the security context of the daloRADIUS service on the target server.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0048.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).
Base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is low.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 8.3 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is proof of concept.
• The remediation level of this vulnerability is not defined.
• The report confidence level of this vulnerability is confirmed.
A sanitation vulnerability exists in daloRADIUS, due to insufficient validation of the post request parameter “config_mail_smtp_fromemail”. An HTTP POST request is sent to /config_mail.php with a custom parameter assigned to “config_mail_smtp_fromemail”. The variables in $_REQUEST are provided to the script via the POST input mechanisms and therefore could be modified by the remote user and cannot be trusted:
fwrite() writes the contents of data to the file stream pointed to by $fp and $var:
Executed Code For “config-mail.php”:
Attacker attains RCE, modifies server configuration, and elevates permissions (read, modify, delete, and add file).
Triggering the Problem:
• The target must have the vulnerable software installed.
• The attacker must have network connectivity to the target server.
• The attacker must have access to “config_mail_smtp_fromemail” variable.
The attacker sends an HTTP post request with a malicious “config_mail_smtp_fromemail” parameter. The vulnerability is triggered when the server processes the request.
The following application protocols can be used to deliver an attack that exploits this vulnerability:
SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 18863 daloRADIUS Mail Settings RCE
The risks posed by this vulnerability can be mitigated or eliminated by:
• Updating to a non-vulnerable version of the product.
• Filtering attack traffic using the signature above.
The vendor has released the following patch regarding this vulnerability: