Executive Summary

This vulnerability in M/Monit 3.7.4 allows authenticated attackers to retrieve user password hashes by exploiting an administrative API endpoint. Specifically, attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all users.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized disclosure of user password hashes, which could allow attackers to attempt to crack these hashes and gain unauthorized access to user accounts. This compromises user credential confidentiality and potentially leads to further unauthorized access within the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if unauthorized or authenticated users can access the administrative API endpoints /api/1/admin/users/list and /api/1/admin/users/get to retrieve user password hashes. You can test this by sending authenticated HTTP requests to these endpoints and observing if MD5 password hashes are returned. For example, using curl commands with valid credentials: curl -u username:password https://<mmonit-server>/api/1/admin/users/list curl -u username:password https://<mmonit-server>/api/1/admin/users/get

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the administrative API endpoints /api/1/admin/users/list and /api/1/admin/users/get to only trusted and necessary users, ensuring strong authentication and authorization controls are in place, and monitoring API access logs for suspicious activity. Additionally, consider updating or patching M/Monit to a version where this vulnerability is fixed if available.

Useful 0 Not Useful 0