daloRADIUS Web Management RCE



  SonicWall Capture Labs Threat Research Team has observed the following threat:

  daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and integrates with GoogleMaps for geo-locating.

  A remote code execution vulnerability has been reported for daloRADIUS. The vulnerability is due to improper sanitation on user controlled input during the update configuration process.

  A remote, authenticated attacker can exploit this vulnerability by initiating a POST request to the target server. Successful exploitation could result in the execution of arbitrary commands in the security context of the daloRADIUS service on the target server.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0048.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.3 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is not defined.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A sanitation vulnerability exists in daloRADIUS, due to insufficient validation of the post request parameter “config_mail_smtp_fromemail”. An HTTP POST request is sent to /config_mail.php with a custom parameter assigned to “config_mail_smtp_fromemail”. The variables in $_REQUEST are provided to the script via the POST input mechanisms and therefore could be modified by the remote user and cannot be trusted:


  fwrite() writes the contents of data to the file stream pointed to by $fp and $var:


  Injected Data:


  Executed Code For “config-mail.php”:


  Attacker attains RCE, modifies server configuration, and elevates permissions (read, modify, delete, and add file).

Triggering the Problem:

  • The target must have the vulnerable software installed.
  • The attacker must have network connectivity to the target server.
  • The attacker must have access to “config_mail_smtp_fromemail” variable.

Triggering Conditions:

  The attacker sends an HTTP post request with a malicious “config_mail_smtp_fromemail” parameter. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  Example Post Request:
  Example Post Response:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 18863 daloRADIUS Mail Settings RCE

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signature above.
  The vendor has released the following patch regarding this vulnerability:
  Vendor Advisory

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.