Login Sign Up

CVE-2014-5334

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

FreeNAS versions before 9.3-M3 have a default blank admin password, allowing remote attackers to gain root privileges through the WebGui login. This affects all FreeNAS installations running vulnerable versions with default configurations.

💻 Affected Systems

Products:
  • FreeNAS
Versions: All versions before 9.3-M3
Operating Systems: FreeBSD-based FreeNAS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where admin password was never changed from default blank.

📦 What is this software?

Freenas by Freenas

View all CVEs affecting Freenas →

Freenas by Freenas

View all CVEs affecting Freenas →

Freenas by Freenas

View all CVEs affecting Freenas →

Freenas by Freenas

View all CVEs affecting Freenas →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root access, allowing data theft, system destruction, or use as pivot point in network attacks.

🟠

Likely Case

Unauthorized administrative access leading to data exfiltration, configuration changes, or service disruption.

🟢

If Mitigated

No impact if password has been changed from default or system is not internet-facing.

🌐 Internet-Facing: HIGH - Direct remote exploitation possible via web interface.
🏢 Internal Only: HIGH - Internal attackers can exploit via network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple web login with blank password. No special tools required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.3-M3 and later

Vendor Advisory: https://bugs.freenas.org/issues/5844

Restart Required: No

Instructions:

1. Update FreeNAS to version 9.3-M3 or later via System → Update. 2. Change admin password via Account → Users → Admin → Change Password.

🔧 Temporary Workarounds

Change Admin Password

all

Manually set a strong admin password to prevent blank password exploitation.

ssh into FreeNAS and run: 'passwd admin'
Or use WebGui: Account → Users → Admin → Change Password

Restrict WebGui Access

all

Limit WebGui access to trusted networks only.

Configure firewall to restrict port 80/443 to trusted IPs

🧯 If You Can't Patch

  • Immediately change admin password to strong, unique value
  • Restrict WebGui access to internal network only via firewall rules

🔍 How to Verify

Check if Vulnerable:

Attempt to login to WebGui with username 'admin' and blank password. If successful, system is vulnerable.

Check Version:

ssh to FreeNAS and run: 'freenas-version' or check WebGui System → Information

Verify Fix Applied:

Verify FreeNAS version is 9.3-M3 or later via System → Information, and confirm admin password is set.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts followed by successful admin login
  • WebGui access from unexpected IP addresses

Network Indicators:

  • HTTP POST requests to /account/login/ with blank password field

SIEM Query:

source="freenas" (event="login" AND user="admin" AND result="success")

📊 Metadata

CVE ID: CVE-2014-5334
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-254
Published: January 8, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2014-5334, you might also want to check these:

CVE-2019-15149 9.8

CVE-2019-15149 is a typo in Mitogen's core.py that disables unidirectional-routing protection for ch...

Same vulnerability type (CWE-254)
CVE-2011-4889 9.8

This vulnerability in IBM WebSphere Application Server's Virtual Member Manager allows attackers to ...

Same vulnerability type (CWE-254)
CVE-2016-0332 9.8

IBM Security Identity Manager Virtual Appliance versions 7.0.0.0 through 7.0.1.0 have insufficient l...

Same vulnerability type (CWE-254)