CVE-2019-5648 - OpenCVE

Authenticated, administrative access to a Barracuda Load Balancer ADC running unpatched firmware <= v6.4 allows one to edit the LDAP service configuration of the balancer and change the LDAP server to an attacker-controlled system, without having to re-enter LDAP credentials. These steps can be used by any authenticated administrative user to expose the LDAP credentials configured in the LDAP connector over the network.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Barracuda	Load Balancer Adc Load Balancer Adc Firmware

Configuration 1 [-]

AND

cpe:2.3:o:barracuda:load_balancer_adc_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:barracuda:load_balancer_adc:-:*:*:*:*:*:*:*

References

Link	Resource
https://blog.rapid7.com/2020/03/05/r7-2019-39-cve-2019-5648-ldap-credential-exposure-in-barracuda-load-balancer-adc-fixed/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: rapid7

Published: 2020-03-05T00:00:00

Updated: 2020-03-12T13:00:16

Reserved: 2019-01-07T00:00:00

Link: CVE-2019-5648

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-03-12T13:15:12.183

Modified: 2020-03-12T16:35:27.767

Link: CVE-2019-5648

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"containers": {"cna": {"affected": [{"product": "Load Balancer ADC", "vendor": "Barracuda", "versions": [{"lessThan": "6.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This issue was discovered by Steve Campbell (@lpha3ch0). It is being disclosed in accordance with Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/)."}], "datePublic": "2020-03-05T00:00:00", "descriptions": [{"lang": "en", "value": "Authenticated, administrative access to a Barracuda Load Balancer ADC running unpatched firmware <= v6.4 allows one to edit the LDAP service configuration of the balancer and change the LDAP server to an attacker-controlled system, without having to re-enter LDAP credentials. These steps can be used by any authenticated administrative user to expose the LDAP credentials configured in the LDAP connector over the network."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "Insufficiently Protected Credentials (CWE-522)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-12T13:00:16", "orgId": "9974b330-7714-4307-a722-5648477acda7", "shortName": "rapid7"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.rapid7.com/2020/03/05/r7-2019-39-cve-2019-5648-ldap-credential-exposure-in-barracuda-load-balancer-adc-fixed/"}], "solutions": [{"lang": "en", "value": "Administrators should ensure that their Barracuda Load Balancer ADC is on either a 6.3.x or 6.4.x version so that the patch can be applied through Barracuda's automated security patching system. Ensure that you have not intentionally disabled the security update system. Administrators should update their Barracuda Load Balancer ADC devices to the latest firmware versions as they become available. Version 6.5 will ship with the patch for CVE-2019-5648."}], "source": {"advisory": "R7-2019-39", "discovery": "EXTERNAL"}, "title": "LDAP Credential Exposure in Barracuda Load Balancer ADC", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@rapid7.com", "DATE_PUBLIC": "2020-03-05T09:00:00.000Z", "ID": "CVE-2019-5648", "STATE": "PUBLIC", "TITLE": "LDAP Credential Exposure in Barracuda Load Balancer ADC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Load Balancer ADC", "version": {"version_data": [{"version_affected": "<", "version_value": "6.5"}]}}]}, "vendor_name": "Barracuda"}]}}, "credit": [{"lang": "eng", "value": "This issue was discovered by Steve Campbell (@lpha3ch0). It is being disclosed in accordance with Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/)."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Authenticated, administrative access to a Barracuda Load Balancer ADC running unpatched firmware <= v6.4 allows one to edit the LDAP service configuration of the balancer and change the LDAP server to an attacker-controlled system, without having to re-enter LDAP credentials. These steps can be used by any authenticated administrative user to expose the LDAP credentials configured in the LDAP connector over the network."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insufficiently Protected Credentials (CWE-522)"}]}]}, "references": {"reference_data": [{"name": "https://blog.rapid7.com/2020/03/05/r7-2019-39-cve-2019-5648-ldap-credential-exposure-in-barracuda-load-balancer-adc-fixed/", "refsource": "MISC", "url": "https://blog.rapid7.com/2020/03/05/r7-2019-39-cve-2019-5648-ldap-credential-exposure-in-barracuda-load-balancer-adc-fixed/"}]}, "solution": [{"lang": "en", "value": "Administrators should ensure that their Barracuda Load Balancer ADC is on either a 6.3.x or 6.4.x version so that the patch can be applied through Barracuda's automated security patching system. Ensure that you have not intentionally disabled the security update system. Administrators should update their Barracuda Load Balancer ADC devices to the latest firmware versions as they become available. Version 6.5 will ship with the patch for CVE-2019-5648."}], "source": {"advisory": "R7-2019-39", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7", "assignerShortName": "rapid7", "cveId": "CVE-2019-5648", "datePublished": "2020-03-05T00:00:00", "dateReserved": "2019-01-07T00:00:00", "dateUpdated": "2020-03-12T13:00:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:barracuda:load_balancer_adc_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0CB3331B-F1DA-447F-8430-7D9C2F7A7AFA", "versionEndIncluding": "6.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:barracuda:load_balancer_adc:-:*:*:*:*:*:*:*", "matchCriteriaId": "596B4E60-9D21-4067-AB2D-930373D29CAA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Authenticated, administrative access to a Barracuda Load Balancer ADC running unpatched firmware <= v6.4 allows one to edit the LDAP service configuration of the balancer and change the LDAP server to an attacker-controlled system, without having to re-enter LDAP credentials. These steps can be used by any authenticated administrative user to expose the LDAP credentials configured in the LDAP connector over the network."}, {"lang": "es", "value": "Un acceso administrativo autenticado a un Barracuda Load Balancer ADC que ejecuta versiones de firmware no parcheadas anteriores a v6.4 incluy\u00e9ndola, permite editar la configuraci\u00f3n del servicio LDAP del balanceador y cambiar el servidor LDAP a un sistema controlado por el atacante, sin tener que reingresar las credenciales LDAP. Estos pasos pueden ser usados por cualquier usuario administrativo autenticado para exponer las credenciales LDAP configuradas en el conector LDAP sobre la red."}], "id": "CVE-2019-5648", "lastModified": "2020-03-12T16:35:27.767", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "cve@rapid7.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-12T13:15:12.183", "references": [{"source": "cve@rapid7.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.rapid7.com/2020/03/05/r7-2019-39-cve-2019-5648-ldap-credential-exposure-in-barracuda-load-balancer-adc-fixed/"}], "sourceIdentifier": "cve@rapid7.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "cve@rapid7.com", "type": "Secondary"}]}