CVE-2014-5377
published 2014-09-04CVE-2014-5377: ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
PriorityP355medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
57.48%
99.0th percentile
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| manageengine | device_expert | <= 5.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated HTTP GET request to /ReadUsersFromMasterServlet on ManageEngine DeviceExpert exposes user credentials (salted MD5 hashes); no authentication or additional parameters required. ↗
- →Response body from /ReadUsersFromMasterServlet contains concatenated username, role, and salted MD5 password hash fields; monitor for successful responses to this endpoint. ↗
- →Metasploit auxiliary module targets this vulnerability; detect scanner activity against /ReadUsersFromMasterServlet from the metasploit-framework module manageengine_deviceexpert_user_creds. ↗
- ·Vulnerability affects DeviceExpert up to and including version 5.9 build 5980; versions prior to 5.9 build 5981 are vulnerable. Older versions are also likely affected. ↗
- ·Passwords returned by the vulnerable endpoint are salted MD5 hashes, not plaintext; downstream cracking activity should be anticipated after credential harvesting. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine DeviceExpert 5.9 - User Credential Disclosure
exploitdb·2014-08-28·CVSS 5.0
CVE-2014-5377 [MEDIUM] ManageEngine DeviceExpert 5.9 - User Credential Disclosure
ManageEngine DeviceExpert 5.9 - User Credential Disclosure
---
>> User credential disclosure in ManageEngine DeviceExpert 5.9
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
>> Background on the affected product:
"DeviceExpert is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, DeviceExpert helps automate and take total control of the entire life cycle of device configuration management."
>> Technical details:
Vulnerability: User credential disclosure / CVE-2014-5377
Constraints: no authentication or any other information needed.
Affected versions: UNFIXED as of 27/08/2014 - current
Metasploit
ManageEngine DeviceExpert User Credentials
metasploit
ManageEngine DeviceExpert User Credentials
ManageEngine DeviceExpert User Credentials
This module extracts usernames and salted MD5 password hashes from ManageEngine DeviceExpert version 5.9 build 5980 and prior. This module has been tested successfully on DeviceExpert version 5.9.7 build 5970.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/128019/ManageEngine-DeviceExpert-5.9-Credential-Disclosure.htmlhttp://seclists.org/fulldisclosure/2014/Aug/75http://seclists.org/fulldisclosure/2014/Aug/76http://seclists.org/fulldisclosure/2014/Aug/84http://www.exploit-db.com/exploits/34449http://www.manageengine.com/products/device-expert/release-notes.htmlhttp://www.securityfocus.com/archive/1/533250/100/0/threadedhttp://www.securityfocus.com/bid/69443https://exchange.xforce.ibmcloud.com/vulnerabilities/95562https://raw.githubusercontent.com/pedrib/PoC/master/me_deviceexpert-5.txthttp://packetstormsecurity.com/files/128019/ManageEngine-DeviceExpert-5.9-Credential-Disclosure.htmlhttp://seclists.org/fulldisclosure/2014/Aug/75http://seclists.org/fulldisclosure/2014/Aug/76http://seclists.org/fulldisclosure/2014/Aug/84http://www.exploit-db.com/exploits/34449http://www.manageengine.com/products/device-expert/release-notes.htmlhttp://www.securityfocus.com/archive/1/533250/100/0/threadedhttp://www.securityfocus.com/bid/69443https://exchange.xforce.ibmcloud.com/vulnerabilities/95562https://raw.githubusercontent.com/pedrib/PoC/master/me_deviceexpert-5.txt
2014-09-04
Published