CVE-2014-3418
published 2014-07-15CVE-2014-3418: config/userAdmin/login.tdf in Infoblox NetMRI before 6.8.5 allows remote attackers to execute arbitrary commands via shell metacharacters in the…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
7.17%
93.5th percentile
config/userAdmin/login.tdf in Infoblox NetMRI before 6.8.5 allows remote attackers to execute arbitrary commands via shell metacharacters in the skipjackUsername parameter.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| infoblox | netmri | <= 6.8.4 | — |
| infoblox | netmri | — | — |
| infoblox | netmri | — | — |
| infoblox | netmri | — | — |
| infoblox | netmri | — | — |
| infoblox | netmri | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to the path 'netmri/config/userAdmin/login.tdf' for shell metacharacters (backticks, semicolons, pipes, etc.) in the 'skipjackUsername' parameter, which indicates exploitation of this unauthenticated OS command injection. ↗
- →The exploit uses multipart/form-data Content-Type; inspect POST body for the 'skipjackUsername' field containing backtick-wrapped OS commands (e.g., `ping`, `wget`, `curl`) as a key injection pattern. ↗
- →This attack requires no authentication; any POST to the login endpoint with shell metacharacters in skipjackUsername should be treated as a high-severity exploitation attempt. ↗
- →A public Metasploit module exists for this CVE at https://github.com/depthsecurity/NetMRI-2014-3418; correlate IDS/WAF alerts with known Metasploit user-agent strings or request patterns when investigating hits on this endpoint. ↗
- ·Affected versions span a wide range (6.4.X.X through 6.8.4.X); ensure version fingerprinting covers this full range when scanning for vulnerable Infoblox NetMRI/Switch Port Manager/Automation Change Manager/Security Device Controller appliances. ↗
- ·The vulnerability is present across multiple licensed product names on the same platform; detection rules should not be scoped only to 'NetMRI' but also to Switch Port Manager, Automation Change Manager, and Security Device Controller. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://blog.depthsecurity.com/2014/07/os-command-injection-in-infoblox-netmri.htmlhttp://seclists.org/fulldisclosure/2014/Jul/35http://www.exploit-db.com/exploits/34030http://www.securityfocus.com/archive/1/532709/100/0/threadedhttp://www.securityfocus.com/bid/68471https://exchange.xforce.ibmcloud.com/vulnerabilities/94449https://github.com/depthsecurity/NetMRI-2014-3418http://blog.depthsecurity.com/2014/07/os-command-injection-in-infoblox-netmri.htmlhttp://seclists.org/fulldisclosure/2014/Jul/35http://www.exploit-db.com/exploits/34030http://www.securityfocus.com/archive/1/532709/100/0/threadedhttp://www.securityfocus.com/bid/68471https://exchange.xforce.ibmcloud.com/vulnerabilities/94449https://github.com/depthsecurity/NetMRI-2014-3418
2014-07-15
Published