Can you explain this vulnerability to me?

FastNetMon Community Edition through version 1.2.9 exposes a gRPC API server on port 50052 without any authentication mechanism. The server uses grpc::InsecureServerCredentials(), meaning it listens without verifying credentials. None of the RPC methods, including ExecuteBan, ExecuteUnBan, GetBanlist, and GetTotalTrafficCounters, perform credential verification.

This lack of authentication allows an attacker with local network access to perform security-critical actions such as banning arbitrary IP addresses, which can cause denial of service to legitimate traffic, unbanning active attacks to disable DDoS mitigation, and triggering execution of external notification scripts. Additionally, there is no role-based access control to separate read-only monitoring from destructive administrative operations.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

An attacker with local network access can exploit this vulnerability to ban arbitrary IP addresses, effectively causing denial of service to legitimate users by blackholing their traffic.

The attacker can also unban active attacks, disabling the system's DDoS mitigation capabilities, which can leave the network vulnerable to ongoing attacks.

Furthermore, the attacker can trigger execution of external notification scripts, potentially leading to further compromise or unauthorized actions on the system.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the FastNetMon Community Edition is running a gRPC API server on port 50052 without any authentication mechanism.

You can use network scanning or port checking commands to verify if port 50052 is open and listening on your system.

• Use netstat or ss to check listening ports: netstat -tuln | grep 50052 or ss -tuln | grep 50052
• Use nmap to scan the host for open gRPC port: nmap -p 50052 <target-ip>
• Attempt to connect to the gRPC server on port 50052 and check if authentication is required (it should not be).

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting network access to the gRPC API server on port 50052 to trusted hosts only.

Since the server uses grpc::InsecureServerCredentials() with no authentication, you should implement network-level controls such as firewall rules or access control lists (ACLs) to prevent unauthorized access.

Additionally, consider disabling or limiting the exposure of the gRPC API server if it is not required.

Monitor for any suspicious activity involving banning or unbanning IP addresses and execution of external scripts triggered via the API.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in FastNetMon Community Edition exposes a gRPC API server without any authentication or access control, allowing an attacker with local network access to perform critical actions such as banning arbitrary IP addresses and executing external scripts.

This lack of authentication and role-based access control can lead to unauthorized access and manipulation of network traffic, potentially causing denial of service and disabling DDoS mitigation.

Such unauthorized access and control over network infrastructure could result in violations of common security requirements found in standards and regulations like GDPR and HIPAA, which mandate protection of data integrity, availability, and confidentiality.

Specifically, the inability to restrict or audit administrative actions may lead to non-compliance with these regulations' requirements for secure access controls and incident response capabilities.

Useful 0 Not Useful 0