CVE-2014-2595
published 2020-02-12CVE-2014-2595: Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.87%
96.7th percentile
Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| barracuda | web_application_firewall | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://www.example.com/cgi-mod/index.cgi?auth_type=Local&et=99999999996locale=en_US&password=5a2fd48b65c5d80881eeb0f738bcc6dc&primary_tab=SECURITY%20POLICIES&secondary_tab=request_limits&user=guest↗
- →Detect authentication bypass attempts by monitoring HTTP requests to /cgi-mod/index.cgi containing a large/permanent 'et' (epoch time) parameter value such as '99999999996', which represents a non-expiring authentication token passed via query string. ↗
- →Flag HTTP requests to /cgi-mod/index.cgi where the query string contains both 'et=99999999996' (or similarly large epoch values) and 'user=guest', indicating exploitation of the permanent token bypass. ↗
- →Monitor for the known guest-account password hash '5a2fd48b65c5d80881eeb0f738bcc6dc' appearing in query strings to /cgi-mod/index.cgi, which is characteristic of this exploit. ↗
- ·The exploit URL uses 'www.example.com' as a placeholder; the actual target host will vary. Detection rules should match on the path and query parameter patterns rather than the hostname. ↗
- ·The vulnerability is confirmed on version 7.8.1.013 but other versions may also be affected, so version-scoped detection may produce false negatives. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.htmlhttp://seclists.org/fulldisclosure/2014/Aug/5http://www.osvdb.org/109782https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004https://www.exploit-db.com/exploits/39278https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/https://www.securityfocus.com/bid/69028http://packetstormsecurity.com/files/127740/Barracuda-WAF-Authentication-Bypass.htmlhttp://seclists.org/fulldisclosure/2014/Aug/5http://www.osvdb.org/109782https://vulners.com/securityvulns/SECURITYVULNS:DOC:31004https://www.exploit-db.com/exploits/39278https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/https://www.securityfocus.com/bid/69028
2020-02-12
Published