Application: M/Monit 3.2.2 Author: Dolev Farhi @dolevff Date: 13.9.2014 Relevant CVEs: CVE-2014-6409, CVE-2014-6607 Vulnerable version: <= 3.2.2 M/Monit is an Easy, proactive monitoring of Unix systems, network and cloud services. 1. Vulnerability Description: Account hijack via cross-site request forgery (CVE-2014-6409, CVE-2014-6607) It was found that M/Monit latest version is vulnerable to CSRF attacks. it is possible to reset the password of any user account (admin/user) on the system without needing to know the current password of the attacked account, due to missing password change verification mechanism. 2. Proof of concept

CSRF poc M/monit

3. Mitigation Software vendor confirmed the issue, and a fix might be released in the future. 4. Time line: 15.9 - Found vulnerabilities 15.9 - Notified software vendor 15.9 - CVE Requested 17.9 - CVEs Assigned 18.9 - Vendor confirmed security issues, release will be released in the future 19.9 - public disclosure - Discovered by Dolev Farhi, F5 Networks