Login Sign Up

CVE-2011-4069

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2011-4069 is an LDAP injection vulnerability in PacketFence's admin login page that allows remote attackers to bypass authentication by crafting malicious usernames. This affects PacketFence network access control systems running versions before 3.0.2. Attackers can gain unauthorized administrative access without valid credentials.

💻 Affected Systems

Products:
  • PacketFence
Versions: All versions before 3.0.2
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the default admin login interface at html/admin/login.php

📦 What is this software?

Packetfence by Packetfence

View all CVEs affecting Packetfence →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the PacketFence system, allowing attackers to modify network access policies, create backdoor accounts, and potentially pivot to other network systems.

🟠

Likely Case

Unauthorized administrative access leading to modification of network access controls, user account manipulation, and potential data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though authentication bypass remains possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple LDAP injection requiring only web access to the admin login page

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.2 and later

Vendor Advisory: https://packetfence.org/bugs/changelog_page.php?version_id=35

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade to PacketFence 3.0.2 or later. 3. Restart PacketFence services. 4. Verify admin login functionality.

🔧 Temporary Workarounds

Restrict Admin Interface Access

linux

Limit access to the admin login page using firewall rules or web server configuration

iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Implement Web Application Firewall

all

Deploy WAF rules to block LDAP injection patterns in login requests

🧯 If You Can't Patch

  • Implement network segmentation to isolate PacketFence admin interface from untrusted networks
  • Enable detailed logging and monitoring for authentication attempts and LDAP queries

🔍 How to Verify

Check if Vulnerable:

Check PacketFence version: cat /usr/local/pf/VERSION or access admin interface and check version in footer

Check Version:

cat /usr/local/pf/VERSION

Verify Fix Applied:

Verify version is 3.0.2 or later and test authentication with proper input validation

📡 Detection & Monitoring

Log Indicators:

  • Unusual LDAP query patterns in authentication logs
  • Multiple failed login attempts followed by successful login with unusual username patterns
  • Admin login from unexpected IP addresses

Network Indicators:

  • HTTP POST requests to /admin/login.php with special characters in username parameter
  • Unusual LDAP traffic patterns following admin login attempts

SIEM Query:

source="packetfence" AND (uri_path="/admin/login.php" AND (username="*)(*" OR username="*|*" OR username="*&*"))

📊 Metadata

CVE ID: CVE-2011-4069
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-90
Published: February 1, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2011-4069, you might also want to check these:

CVE-2024-54852 9.8

This LDAP injection vulnerability in Teedy allows unauthenticated attackers to manipulate LDAP queri...

Same vulnerability type (CWE-90)
CVE-2021-43350 9.8

CVE-2021-43350 is an LDAP injection vulnerability in Apache Traffic Control Traffic Ops that allows ...

Same vulnerability type (CWE-90)
CVE-2024-33868 9.8

This LDAP injection vulnerability in linqi on Windows allows attackers to manipulate LDAP queries, p...

Same vulnerability type (CWE-90)