CVE-2014-6039
published 2020-01-13CVE-2014-6039: ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000.
PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
68.78%
99.3th percentile
ManageEngine EventLog Analyzer version 7 through 9.9 build 9002 has a Credentials Disclosure Vulnerability. Fixed version 10 Build 10000.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_eventlog_analyzer | 7.0 – 9.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to the /hostdetails servlet with slid= and hostid= parameters — the core CVE-2014-6039 exploitation path for credential disclosure. ↗
- →Detect unauthenticated GET requests to /agentHandler with mode=getTableData — used in the companion CVE-2014-6038 to enumerate host IDs needed for CVE-2014-6039 exploitation. ↗
- →On EventLog Analyzer v7 deployments, exploitation paths are prefixed with /event/ — monitor for /event/hostdetails and /event/agentHandler request patterns as well. ↗
- →No authentication or session token is required to exploit either vulnerability; flag any unauthenticated source accessing these servlets. ↗
- →Returned credentials from /hostdetails are XOR-encoded with 0x30 and base64-encoded; inspect response bodies for base64 blobs that decode to XOR-0x30 obfuscated strings as a post-exploitation indicator. ↗
- ·The /hostdetails servlet is only exploitable after obtaining valid hostid and slid values, which are retrieved via the companion CVE-2014-6038 agentHandler abuse — both requests will appear in sequence during a full attack chain. ↗
- ·Affected versions are v7 through v9.9 build 9002; the fix was introduced in version 10 Build 10000. Ensure patched instances are confirmed at build 10000 or later. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)
exploitdb·2014-11-05·CVSS 7.5
CVE-2014-6039 [HIGH] ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)
ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)
---
>> Multiple vulnerabilities in ManageEngine EventLog Analyzer
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 05/11/2014 / Last updated: 05/11/2014
>> Background on the affected product:
"EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central location. This event log analyzer software helps to monitor file integrity, conduct log forensics analysis, monitor privileged users and comply to different
Metasploit
ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure
metasploit·CVSS 7.5
CVE-2014-6038 [HIGH] ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure
ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure
ManageEngine Eventlog Analyzer from v7 to v9.9 b9002 has two security vulnerabilities that allow an unauthenticated user to obtain the superuser password of any managed Windows and AS/400 hosts. This module abuses both vulnerabilities to collect all the available usernames and passwords. First the agentHandler servlet is abused to get the hostid and slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7, the TARGETURI has to be prepended with /event.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/128996/ManageEngine-EventLog-Analyzer-SQL-Credential-Disclosure.htmlhttp://seclists.org/fulldisclosure/2014/Nov/12http://www.securityfocus.com/bid/70960https://exchange.xforce.ibmcloud.com/vulnerabilities/98539http://packetstormsecurity.com/files/128996/ManageEngine-EventLog-Analyzer-SQL-Credential-Disclosure.htmlhttp://seclists.org/fulldisclosure/2014/Nov/12http://www.securityfocus.com/bid/70960https://exchange.xforce.ibmcloud.com/vulnerabilities/98539
2020-01-13
Published