SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   NetMRI Vendors:   Infoblox
Infoblox NetMRI Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1030542
SecurityTracker URL:  http://securitytracker.com/id/1030542
CVE Reference:   CVE-2014-3419   (Links to External Site)
Date:  Jul 9 2014
Impact:   Disclosure of system information, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.4.x.x - 6.8.4.x
Description:   A vulnerability was reported in Infoblox NetMRI. A local user can obtain elevated privileges on the target system.

A local user can login to the local MySQL database using the username 'root' and password 'root'.

The Switch Port Manager, Automation Change Manager, and Security Device Controller products are also affected.

The vendor was notified on May 12, 2014.

Nate Kettlewell, Depth Security, reported this vulnerability.

Impact:   A local user can login to the MySQL database.
Solution:   The vendor has issued a fix (6.8.5) [in May 2014].
Vendor URL:  www.infoblox.com/ (Links to External Site)
Cause:   Configuration error

Message History:   None.


 Source Message Contents

Subject:  Weak Local Database Credentials in Infoblox Network Automation

Product: Network Automation

Vendor: InfoBlox
Vulnerable Version(s): 6.4.X.X-6.8.4.X
Tested Version: 6.8.2.11

Vendor Notification: May 12th, 2014 
Public Disclosure: July 9th, 2014 

Vulnerability Type: OS Command Injection [CWE-521]
CVE Reference: CVE-2014-3419
Risk Level: High 
CVSSv2 Base Score: 5.2 (AV:L/AC:L/Au:S/C:C/I:P/A:N)
Solution Status: Solution Available

Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ )

------------------------------------------------------------------------
-----------------------

Advisory Details:

Depth Security discovered a vulnerability in the InfoBlox Network Automation Products. This attack requires OS level access which must be obtained via another method.

1) Weak password on local MySQL database: CVE-2014-3419

The vulnerability exists due to a weak password used for local MySQL access


Username: root
Password: root

Sensitive information such as SNMP community names and network device credentials are encrypted inside of the database.
------------------------------------------------------------------------
-----------------------

Solution:

The vendor has released a hotfix to remediate this vulnerability on existing installations. The flaw was corrected in the 6.8.5 release.

------------------------------------------------------------------------
-----------------------

References:

[1] Depth Security Advisory - http://blog.depthsecurity.com/2014/07/os-command-injection-in-infoblox-netmri.html  - OS Command Injection in NetMRI.
[2] NetMRI - http://www.infoblox.com/products/network-automation/netmri - NetMRI is an Enterprise Network Management Appliance.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org/ - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
------------------------------------------------------------------------
-----------------------
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC