CVE-2020-14070
📋 TL;DR
CVE-2020-14070 is an authentication bypass vulnerability in MK-AUTH 19.01 web login functionality that allows attackers to gain administrative access using guessable credentials. This affects all systems running the vulnerable MK-AUTH version with web login enabled. Attackers can completely compromise the authentication system.
💻 Affected Systems
- MK-AUTH
📦 What is this software?
Mk Auth by Mk Auth
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative privileges, allowing data theft, configuration changes, and potential lateral movement to connected systems.
Likely Case
Unauthorized administrative access leading to configuration changes, user data exposure, and potential service disruption.
If Mitigated
Limited impact with proper network segmentation and monitoring, though authentication bypass still possible.
🎯 Exploit Status
Exploitation requires guessing credentials, but the vulnerability makes credentials easily guessable. Public proof-of-concept exists in GitHub gists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 19.01 (check vendor changelog)
Vendor Advisory: http://mk-auth.com.br/page/changelog-1
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download latest version from vendor. 3. Replace vulnerable files. 4. Restart MK-AUTH service. 5. Verify authentication works properly.
🔧 Temporary Workarounds
Restrict Access to Login Endpoint
allBlock or restrict access to the vulnerable admin/executar_login.php endpoint using firewall rules or web server configuration.
# Example for Apache: RewriteRule ^admin/executar_login\.php$ - [F,L]
# Example for Nginx: location ~ ^/admin/executar_login\.php$ { deny all; }
Implement Strong Authentication Controls
linuxAdd additional authentication layers such as IP whitelisting, multi-factor authentication, or web application firewall rules.
# IP whitelisting example: iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Implement network segmentation to isolate MK-AUTH system from critical infrastructure
- Enable detailed logging and monitoring for authentication attempts and admin access patterns
🔍 How to Verify
Check if Vulnerable:
Check if MK-AUTH version is 19.01 and test login with known weak credentials or attempt authentication bypass at admin/executar_login.php endpoint.Check Version:
Check MK-AUTH configuration files or web interface for version information, typically in admin panel or configuration files.Verify Fix Applied:
Test authentication with various credential combinations and verify proper authentication controls are in place. Check version is updated beyond 19.01.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful admin access
- Authentication bypass patterns in web server logs
- Admin access from unusual IP addresses or user agents
Network Indicators:
- Unusual traffic patterns to admin/executar_login.php endpoint
- Authentication requests with guessable credentials
SIEM Query:
source="web_server" AND (uri="/admin/executar_login.php" OR uri="*/executar_login.php") AND (status=200 OR status=302) AND NOT (user_agent="legitimate_bot")