CVE-2020-15688
published 2020-07-23CVE-2020-15688: The HTTP Digest Authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks. This allows an unauthenticated remote…
PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
4.04%
89.3th percentile
The HTTP Digest Authentication in the GoAhead web server before 5.1.2 does not completely protect against replay attacks. This allows an unauthenticated remote attacker to bypass authentication via capture-replay if TLS is not used to protect the underlying communication channel.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| embedthis | goahead | < 5.1.2 | 5.1.2 |
Detection & IOCsextracted from sources · hover to see the quote
otherDigest username="admin", realm="GoAhead", nonce="5fb3ce6dec423bf8b8f0dfc8cf65244d", uri="/goform/formUserManagementAdd?lang=en", algorithm=MD5, response="1c05f4d08aa0cfcc5318882e0fb4e9af", opaque="5ccc069c403ebaf9f0171e9517f40e41", qop=auth, nc=0000000a, cnonce="0649f631320f23bb"↗
- →Alert on HTTP POST requests to /goform/formUserManagementAdd containing a Digest Authorization header, especially when originating from unauthenticated or unexpected sources, as this endpoint is targeted to create rogue admin accounts. ↗
- →Flag HTTP requests with the User-Agent string 'NoProxy/NoProblem.251' as this is the custom UA used in the published PoC exploit for CVE-2020-15688. ↗
- ·The vulnerability only applies when TLS is NOT used to protect the communication channel. Deployments using HTTPS are not susceptible to capture-replay via network interception. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6r2c-458p-644h: GoAhead before 5
ghsa_unreviewed·2022-05-24
CVE-2020-15688 [MEDIUM] CWE-294 GHSA-6r2c-458p-644h: GoAhead before 5
GoAhead before 5.1.2 mishandles the nonce value during Digest authentication. This may permit request replay attacks for local requests over HTTP.
CISA ICS
Hitachi Energy MSM
cisa_ics·2023-05-09·CVSS 8.8
[HIGH] Hitachi Energy MSM
ICS Advisory
##
Hitachi Energy MSM
Release DateMay 09, 2023
Alert CodeICSA-23-129-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: Modular Switchgear Monitoring (MSM)
- Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Authentication Bypass by Capture-replay, Code Injection, Improper Restriction of Operations within the Bounds of a Memory Buffer, NULL Pointer Dereference, Insufficient Entropy
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to obtain user access credentials of the MSM web interface or cause a denial-of-service condition.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159505/EmbedThis-GoAhead-Web-Server-5.1.1-Digest-Authentication-Capture-Replay-Nonce-Reuse.htmlhttps://github.com/embedthis/goahead-gpl/issues/3https://github.com/embedthis/goahead-gpl/issues/3http://packetstormsecurity.com/files/159505/EmbedThis-GoAhead-Web-Server-5.1.1-Digest-Authentication-Capture-Replay-Nonce-Reuse.htmlhttps://github.com/embedthis/goahead-gpl/issues/3https://github.com/embedthis/goahead-gpl/issues/3
2020-07-23
Published