Details of VAR-201208-0124

ID

VAR-201208-0124

CVE

CVE-2012-2498

TITLE

Cisco AnyConnect Secure Mobility Client Vulnerable to server impersonation

Trust: 0.8

sources: JVNDB: JVNDB-2012-003465

DESCRIPTION

Cisco AnyConnect Secure Mobility Client 3.0 through 3.0.08066 does not ensure that authentication makes use of a legitimate certificate, which allows user-assisted man-in-the-middle attackers to spoof servers via a crafted certificate, aka Bug ID CSCtz29197

Trust: 1.98

sources: NVD: CVE-2012-2498 // JVNDB: JVNDB-2012-003465 // BID: 54847 // VULHUB: VHN-55779

AFFECTED PRODUCTS

vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0	Trust: 1.9
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.08057	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.08066	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.0629	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0.07059	Trust: 1.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0 to 3.0.08066	Trust: 0.8

sources: BID: 54847 // JVNDB: JVNDB-2012-003465 // CNNVD: CNNVD-201208-033 // NVD: CVE-2012-2498

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2012-2498
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2012-2498
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201208-033
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-55779
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2012-2498
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-55779
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-55779 // JVNDB: JVNDB-2012-003465 // CNNVD: CNNVD-201208-033 // NVD: CVE-2012-2498

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-55779 // JVNDB: JVNDB-2012-003465 // NVD: CVE-2012-2498

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201208-033

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201208-033

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-003465

PATCH

title:

Release Notes for Cisco AnyConnect Secure Mobility Client, Release 3.0

url:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html

Trust: 0.8

sources: JVNDB: JVNDB-2012-003465

EXTERNAL IDS

db:	NVD	id:	CVE-2012-2498	Trust: 2.8
db:	JVNDB	id:	JVNDB-2012-003465	Trust: 0.8
db:	CNNVD	id:	CNNVD-201208-033	Trust: 0.7
db:	NSFOCUS	id:	20259	Trust: 0.6
db:	BID	id:	54847	Trust: 0.4
db:	VULHUB	id:	VHN-55779	Trust: 0.1

sources: VULHUB: VHN-55779 // BID: 54847 // JVNDB: JVNDB-2012-003465 // CNNVD: CNNVD-201208-033 // NVD: CVE-2012-2498

REFERENCES

url:	http://www.cisco.com/en/us/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2498	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-2498	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/20259	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-55779 // BID: 54847 // JVNDB: JVNDB-2012-003465 // CNNVD: CNNVD-201208-033 // NVD: CVE-2012-2498

CREDITS

Vendor reported the issue.

Trust: 0.3

sources: BID: 54847

SOURCES

db:	VULHUB	id:	VHN-55779
db:	BID	id:	54847
db:	JVNDB	id:	JVNDB-2012-003465
db:	CNNVD	id:	CNNVD-201208-033
db:	NVD	id:	CVE-2012-2498

LAST UPDATE DATE

2024-11-23T23:02:54.257000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-55779	date:	2012-08-07T00:00:00
db:	BID	id:	54847	date:	2012-08-07T00:00:00
db:	JVNDB	id:	JVNDB-2012-003465	date:	2012-08-08T00:00:00
db:	CNNVD	id:	CNNVD-201208-033	date:	2012-08-07T00:00:00
db:	NVD	id:	CVE-2012-2498	date:	2024-11-21T01:39:09.370

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-55779	date:	2012-08-06T00:00:00
db:	BID	id:	54847	date:	2012-08-07T00:00:00
db:	JVNDB	id:	JVNDB-2012-003465	date:	2012-08-08T00:00:00
db:	CNNVD	id:	CNNVD-201208-033	date:	2012-08-07T00:00:00
db:	NVD	id:	CVE-2012-2498	date:	2012-08-06T17:55:01.103