A vulnerability was found in M and Monit up to 3.3.2. It has been declared as critical. This vulnerability affects some unknown processing of the component Privileges. The manipulation with an unknown input leads to a credentials management vulnerability. The CWE definition for the vulnerability is CWE-255. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

M/Monit 3.3.2 and earlier does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via the fullname and password parameters, a different vulnerability than CVE-2014-6409.

The weakness was shared 10/06/2014 (Website). The advisory is available at exploit-db.com. This vulnerability was named CVE-2014-6607 since 09/18/2014. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are unknown but a public exploit is available. This vulnerability is assigned to T1552 by the MITRE ATT&CK project.

A public exploit has been developed by Dolev Farhi and been published even before and not after the advisory. It is possible to download the exploit at exploit-db.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 16 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at Exploit-DB (34718). The entry 71853 is related to this item.

Productinfo

Name

• M
• Monit

Version

• 3.3.0
• 3.3.1
• 3.3.2

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion