In order to exploit this vulnerability, a remote attacker must be able to establish a connection to a vulnerable device, then interact with it in a way that forces the remote server to generate an iLNK ID. Since the iLNK ID is used for direct connections, an attacker can use it to connect to arbitrary devices on the network. This issue affects all versions of RealServer from V1.0.0 to V1.0.15. RealServer versions up to and including V1.0.14 are vulnerable. RealServer versions from V1.0.15 are not vulnerable. REGS versions up to and including V1.0.14 are vulnerable. REGS versions from V1.0.15 are not vulnerable. Carefully reviewed devices that have no open ports, no access control issues, and no vulnerabilities are not affected by this issue.

Mitigation and Recommendation

There are several methods for mitigating this vulnerability. If you have one of these devices, you can disable the iLNK ID feature by setting the value of the "iLNK_SECURITY_DISABLE" in the configuration file to "1". If you do not have one of these devices, there is no need to take any action.
If you are running a RealServer with version V1.0.15 or later, then this issue will not affect your system.

Mitigation Strategies - Network-Based

1. Disabling remote access.
2. Deploying a firewall to provide network-based protection.
3. Enforcing ingress rules on devices that are not vulnerable but have ports open to the public network.
4. Using a host-based IDS such as Snort or Bro to detect and block iLNK attacks before they can be exploited on vulnerable systems.
5. Restricting access to SSL v3 at all times, even though some clients may still use it in certain scenarios where its weaknesses are mitigated by other options such as TLS/SSL v1 and v2, or use TLS/SSL with DHE cipher suites (see RFC 5246) which offer forward secrecy and perfect forward secrecy, respectively.
6. Restricting access to HTTP on port 80 (for example by using firewall rule or disabling port 80).
7. Monitoring for changes in iLNK behavior from client machines that may indicate the presence of an attacker on the network and responding appropriately (e.g., restricting or removing access for IP addresses suspected of being compromised).

Vulnerability Details

To exploit the vulnerability, an attacker must be able to establish a connection to the vulnerable device. They then have to interact with it in a way that forces the remote server to generate an iLNK ID. An attacker can use this ID for direct connections, thereby enabling them to connect to arbitrary devices on the network. This vulnerability affects all versions of RealServer from V1.0.0 to V1.0.15, and is also present in RealServer versions up to and including V1.0.14 and REGS versions up to and including V1.0.14

Steps to Take Before Deploying New Devices or Updating Existing Ones

RealServer devices that have not yet been deployed should be brought up to date. To do this, update the software on the device and then reboot it. After rebooting, run the RealServer Configuration Utility and make sure it is set to default settings. If you are deploying new devices, they should also be taken through this configuration process.

Real Folders/Shared Folders

The Real Server application used by the server to manage resources on the network uses an internal service called "real_folders", with a hard-coded password of "R6Tv3Yu". This application is vulnerable to remote code execution.
RealServer versions up to and including V1.0.14 are vulnerable.
REGS versions up to and including V1.0.14 are vulnerable.
Carefully reviewed devices that have no open ports, no access control issues, and no vulnerabilities are not affected by this issue.

Timeline

Published on: 09/26/2022 11:15:00 UTC
Last modified on: 09/29/2022 15:18:00 UTC

References