Search...

Graylog2 LDAP Authentication Bypass Vulnerability

2015-02-10T00:00:00

ID GRAYLOG2_CVE_2014_9217.NASL
Type nessus
Reporter Tenable
Modified 2018-06-13T00:00:00

Description

The remote version of Graylog2 is affected by a vulnerability that allows remote attackers, using crafted wildcards, to bypass the authentication mechanisms when the installation is configured to use LDAP authentication.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81259);
  script_version("1.3");
  script_cvs_date("Date: 2018/06/13 18:56:27");

  script_cve_id("CVE-2014-9217");
  script_bugtraq_id(71827);

  script_name(english:"Graylog2 LDAP Authentication Bypass Vulnerability");
  script_summary(english:"Checks the Graylog2 version.");

  script_set_attribute(attribute:"synopsis", value:"The remote host is affected by an authentication bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote version of Graylog2 is affected by a vulnerability that
allows remote attackers, using crafted wildcards, to bypass the
authentication mechanisms when the installation is configured to use
LDAP authentication.");
  script_set_attribute(attribute:"see_also", value:"https://www.graylog2.org/news/post/0010-graylog2-v0-92");
  script_set_attribute(attribute:"solution", value:"Upgrade Graylog2 to version 0.92 or higher.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/10");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:torch_gmbh:graylog2");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");

  script_dependencies("graylog2_web_interface_detect.nbin");
  script_require_ports("Services/www", 443);
  script_require_keys("installed_sw/Graylog2");
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

get_install_count(app_name:'Graylog2', exit_if_zero:TRUE);

port = get_http_port(default:443);

install = get_single_install(
  app_name            : 'Graylog2',
  port                : port,
  exit_if_unknown_ver : TRUE
);

version = install['version'];
item = eregmatch(pattern:"^([\d.]+)($|[^\d.])", string:version);

if(isnull(item) || isnull(item[1]))
  audit(AUDIT_NONNUMERIC_VER, 'Graylog2', port, version);

version = item[1];

if(ver_compare(ver:version, fix:'0.92.0', strict:FALSE) == -1)
{
  if(report_verbosity &gt; 0)
  {
    report = '\n  URL               : ' + build_url(port:port, qs:'/') +
             '\n  Installed version : ' + version +
             '\n  Fixed version     : 0.92.0\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, "Graylog2", build_url(port:port, qs:"/"));

JSON Vulners Source

Initial Source

{"id": "GRAYLOG2_CVE_2014_9217.NASL", "bulletinFamily": "scanner", "title": "Graylog2 LDAP Authentication Bypass Vulnerability", "description": "The remote version of Graylog2 is affected by a vulnerability that allows remote attackers, using crafted wildcards, to bypass the authentication mechanisms when the installation is configured to use LDAP authentication.", "published": "2015-02-10T00:00:00", "modified": "2018-06-13T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=81259", "reporter": "Tenable", "references": ["https://www.graylog2.org/news/post/0010-graylog2-v0-92"], "cvelist": ["CVE-2014-9217"], "type": "nessus", "lastseen": "2018-06-14T11:55:08", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2014-9217"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "The remote version of Graylog2 is affected by a vulnerability that allows remote attackers, using crafted wildcards, to bypass the authentication mechanisms when the installation is configured to use LDAP authentication.", "edition": 1, "enchantments": {}, "hash": "a4f0efe3377af1d10652db282dd80dc0ecc1b245d12b3b14ea1c25585a04732f", "hashmap": [{"hash": "269b2b6abcbd7505b4f1e461473394f8", "key": "modified"}, {"hash": "74af15916a54bd55caca0f5a450924d6", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "93043b33ea78299fb311d55a924d2c09", "key": "title"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "c8f44f9222a34e4420a00969afab88ee", "key": "cvelist"}, {"hash": "4f2d8b6d9d46b61f8526b40b508cda89", "key": "href"}, {"hash": "6945f1027da5b47e6679feb29aff0690", "key": "references"}, {"hash": "f0c51a92660174508a329930b5de9009", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "b9295c1aea42509d1fca6ccf29e9e2a3", "key": "pluginID"}, {"hash": "0b1edd37f2739bd946e93a57595ce1e1", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81259", "id": "GRAYLOG2_CVE_2014_9217.NASL", "lastseen": "2016-09-26T17:26:29", "modified": "2015-02-11T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "81259", "published": "2015-02-10T00:00:00", "references": ["https://www.graylog2.org/news/post/0010-graylog2-v0-92"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81259);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2015/02/11 14:11:08 $\");\n\n script_cve_id(\"CVE-2014-9217\");\n script_bugtraq_id(71827);\n script_osvdb_id(115753);\n\n script_name(english:\"Graylog2 LDAP Authentication Bypass Vulnerability\");\n script_summary(english:\"Checks the Graylog2 version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote version of Graylog2 is affected by a vulnerability that\nallows remote attackers, using crafted wildcards, to bypass the\nauthentication mechanisms when the installation is configured to use\nLDAP authentication.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.graylog2.org/news/post/0010-graylog2-v0-92\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade Graylog2 to version 0.92 or higher.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:torch_gmbh:graylog2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n\n script_dependencies(\"graylog2_web_interface_detect.nbin\");\n script_require_ports(\"Services/www\", 443);\n script_require_keys(\"installed_sw/Graylog2\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nget_install_count(app_name:'Graylog2', exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\n\ninstall = get_single_install(\n app_name : 'Graylog2',\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nversion = install['version'];\nitem = eregmatch(pattern:\"^([\\d.]+)($|[^\\d.])\", string:version);\n\nif(isnull(item) || isnull(item[1]))\n audit(AUDIT_NONNUMERIC_VER, 'Graylog2', port, version);\n\nversion = item[1];\n\nif(ver_compare(ver:version, fix:'0.92.0', strict:FALSE) == -1)\n{\n if(report_verbosity > 0)\n {\n report = '\\n URL : ' + build_url(port:port, qs:'/') +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 0.92.0\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Graylog2\", build_url(port:port, qs:\"/\"));\n", "title": "Graylog2 LDAP Authentication Bypass Vulnerability", "type": "nessus", "viewCount": 11}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:26:29"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:torch_gmbh:graylog2"], "cvelist": ["CVE-2014-9217"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "The remote version of Graylog2 is affected by a vulnerability that allows remote attackers, using crafted wildcards, to bypass the authentication mechanisms when the installation is configured to use LDAP authentication.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "483fd23f49cf37e0ba0e0a05b48979428f26ba4a2479efbb12326aa2cb2c0e9b", "hashmap": [{"hash": "269b2b6abcbd7505b4f1e461473394f8", "key": "modified"}, {"hash": "74af15916a54bd55caca0f5a450924d6", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "93043b33ea78299fb311d55a924d2c09", "key": "title"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "c8f44f9222a34e4420a00969afab88ee", "key": "cvelist"}, {"hash": "4f2d8b6d9d46b61f8526b40b508cda89", "key": "href"}, {"hash": "7a3ac5ac9d0ae3ac3de7053605866d76", "key": "cpe"}, {"hash": "6945f1027da5b47e6679feb29aff0690", "key": "references"}, {"hash": "f0c51a92660174508a329930b5de9009", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "b9295c1aea42509d1fca6ccf29e9e2a3", "key": "pluginID"}, {"hash": "0b1edd37f2739bd946e93a57595ce1e1", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81259", "id": "GRAYLOG2_CVE_2014_9217.NASL", "lastseen": "2017-10-29T13:44:56", "modified": "2015-02-11T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "81259", "published": "2015-02-10T00:00:00", "references": ["https://www.graylog2.org/news/post/0010-graylog2-v0-92"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81259);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2015/02/11 14:11:08 $\");\n\n script_cve_id(\"CVE-2014-9217\");\n script_bugtraq_id(71827);\n script_osvdb_id(115753);\n\n script_name(english:\"Graylog2 LDAP Authentication Bypass Vulnerability\");\n script_summary(english:\"Checks the Graylog2 version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote version of Graylog2 is affected by a vulnerability that\nallows remote attackers, using crafted wildcards, to bypass the\nauthentication mechanisms when the installation is configured to use\nLDAP authentication.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.graylog2.org/news/post/0010-graylog2-v0-92\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade Graylog2 to version 0.92 or higher.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:torch_gmbh:graylog2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n\n script_dependencies(\"graylog2_web_interface_detect.nbin\");\n script_require_ports(\"Services/www\", 443);\n script_require_keys(\"installed_sw/Graylog2\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nget_install_count(app_name:'Graylog2', exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\n\ninstall = get_single_install(\n app_name : 'Graylog2',\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nversion = install['version'];\nitem = eregmatch(pattern:\"^([\\d.]+)($|[^\\d.])\", string:version);\n\nif(isnull(item) || isnull(item[1]))\n audit(AUDIT_NONNUMERIC_VER, 'Graylog2', port, version);\n\nversion = item[1];\n\nif(ver_compare(ver:version, fix:'0.92.0', strict:FALSE) == -1)\n{\n if(report_verbosity > 0)\n {\n report = '\\n URL : ' + build_url(port:port, qs:'/') +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 0.92.0\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Graylog2\", build_url(port:port, qs:\"/\"));\n", "title": "Graylog2 LDAP Authentication Bypass Vulnerability", "type": "nessus", "viewCount": 16}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:44:56"}], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "7a3ac5ac9d0ae3ac3de7053605866d76"}, {"key": "cvelist", "hash": "c8f44f9222a34e4420a00969afab88ee"}, {"key": "cvss", "hash": "26769fd423968d45be7383413e2552f1"}, {"key": "description", "hash": "0b1edd37f2739bd946e93a57595ce1e1"}, {"key": "href", "hash": "4f2d8b6d9d46b61f8526b40b508cda89"}, {"key": "modified", "hash": "5299677d29a0b2004584ce465e834b3e"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "b9295c1aea42509d1fca6ccf29e9e2a3"}, {"key": "published", "hash": "f0c51a92660174508a329930b5de9009"}, {"key": "references", "hash": "6945f1027da5b47e6679feb29aff0690"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "e16c1b3cb7a185939346359bd5886831"}, {"key": "title", "hash": "93043b33ea78299fb311d55a924d2c09"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "65355b5b74b8418df7d533b47c380d9e9b853ebd57b45e72bdbfc0066e1a080b", "viewCount": 16, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81259);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/06/13 18:56:27\");\n\n script_cve_id(\"CVE-2014-9217\");\n script_bugtraq_id(71827);\n\n script_name(english:\"Graylog2 LDAP Authentication Bypass Vulnerability\");\n script_summary(english:\"Checks the Graylog2 version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote version of Graylog2 is affected by a vulnerability that\nallows remote attackers, using crafted wildcards, to bypass the\nauthentication mechanisms when the installation is configured to use\nLDAP authentication.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.graylog2.org/news/post/0010-graylog2-v0-92\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade Graylog2 to version 0.92 or higher.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/12/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:torch_gmbh:graylog2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"graylog2_web_interface_detect.nbin\");\n script_require_ports(\"Services/www\", 443);\n script_require_keys(\"installed_sw/Graylog2\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nget_install_count(app_name:'Graylog2', exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\n\ninstall = get_single_install(\n app_name : 'Graylog2',\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\nversion = install['version'];\nitem = eregmatch(pattern:\"^([\\d.]+)($|[^\\d.])\", string:version);\n\nif(isnull(item) || isnull(item[1]))\n audit(AUDIT_NONNUMERIC_VER, 'Graylog2', port, version);\n\nversion = item[1];\n\nif(ver_compare(ver:version, fix:'0.92.0', strict:FALSE) == -1)\n{\n if(report_verbosity > 0)\n {\n report = '\\n URL : ' + build_url(port:port, qs:'/') +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 0.92.0\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Graylog2\", build_url(port:port, qs:\"/\"));\n", "naslFamily": "CGI abuses", "pluginID": "81259", "cpe": ["cpe:/a:torch_gmbh:graylog2"]}

{"result": {"cve": [{"lastseen": "2017-09-08T10:27:08", "references": ["http://www.graylog2.org/news/post/0010-graylog2-v0-92", "http://seclists.org/oss-sec/2014/q4/1130", "https://exchange.xforce.ibmcloud.com/vulnerabilities/99571"], "edition": 3, "description": "Graylog2 before 0.92 allows remote attackers to bypass LDAP authentication via crafted wildcards.", "reporter": "NVD", "published": "2014-12-08T06:59:10", "title": "CVE-2014-9217", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-9217"], "scanner": [], "cpe": ["cpe:/a:torch_gmbh:graylog2:0.91.3"], "modified": "2017-09-07T21:29:32", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9217", "id": "CVE-2014-9217", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}}