Details of VAR-201306-0167

ID

VAR-201306-0167

CVE

CVE-2013-3384

TITLE

plural Cisco Security Runs on the appliance device AsyncOS Vulnerable to arbitrary command execution

Trust: 0.8

sources: JVNDB: JVNDB-2013-003153

DESCRIPTION

The web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-550; Email Security Appliance devices before 7.1.5-104, 7.3 before 7.3.2-026, 7.5 before 7.5.2-203, and 7.6 before 7.6.3-019; and Content Security Management Appliance devices before 7.2.2-110, 7.7 before 7.7.0-213, and 7.8 and 7.9 before 7.9.1-102 allows remote authenticated users to execute arbitrary commands via crafted command-line input in a URL, aka Bug IDs CSCzv85726, CSCzv44633, and CSCzv24579. Vendors have confirmed this vulnerability Bug ID CSCzv85726 , CSCzv44633 ,and CSCzv24579 It is released as.By a remotely authenticated user URL An arbitrary command may be executed via a crafted command line input in the. Multiple Cisco products are prone to a remote command-injection vulnerability because they fail to properly sanitize user-supplied input. Successfully exploiting this issue may allow an attacker to execute arbitrary commands with elevated privileges in context of the affected application. This issue being tracked by Cisco bug IDs CSCzv44633, CSCzv85726, and CSCzv24579. ESA is an email security appliance. Content SMA is a set of content security management equipment. A command injection vulnerability exists in the web framework in IronPort AsyncOS

Trust: 1.98

sources: NVD: CVE-2013-3384 // JVNDB: JVNDB-2013-003153 // BID: 60805 // VULHUB: VHN-63386

AFFECTED PRODUCTS

vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	7.2	Trust: 1.6
vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	7.3	Trust: 1.6
vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	7.6	Trust: 1.6
vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	7.8	Trust: 1.6
vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	7.9	Trust: 1.6
vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	7.5	Trust: 1.6
vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	7.7	Trust: 1.6
vendor:	cisco	model:	ironport asyncos	scope:	lte	version:	7.1.3	Trust: 1.0
vendor:	cisco	model:	asyncos	scope:	lt	version:	(*3)	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.5.2-203	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.1.5-104	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	lt	version:	7.5 (*1)	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.2.2-110	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	lt	version:	7.9 (*2)	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.5.0-838	Trust: 0.8
vendor:	cisco	model:	web security the appliance	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	lt	version:	7.6 (*1)	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.1.3-013	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	lt	version:	7.5 (*3)	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	lt	version:	7.7 (*3)	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.7.0-550	Trust: 0.8
vendor:	cisco	model:	e email security the appliance	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	lt	version:	7.7 (*2)	Trust: 0.8
vendor:	cisco	model:	content security management appliance	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.9.1-102	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	lt	version:	(*2)	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.3.2-026	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.8 (*2)	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.6.3-019	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	lt	version:	7.3 (*1)	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	eq	version:	7.7.0-213	Trust: 0.8
vendor:	cisco	model:	asyncos	scope:	lt	version:	(*1)	Trust: 0.8
vendor:	cisco	model:	ironport asyncos	scope:	eq	version:	7.1.3	Trust: 0.6
vendor:	cisco	model:	web security appliance	scope:	eq	version:	7.5.1	Trust: 0.3
vendor:	cisco	model:	web security appliance	scope:	eq	version:	7.5	Trust: 0.3
vendor:	cisco	model:	web security appliance	scope:	eq	version:	7.1.4	Trust: 0.3
vendor:	cisco	model:	web security appliance	scope:	eq	version:	7.1.3	Trust: 0.3
vendor:	cisco	model:	web security appliance	scope:	eq	version:	7.1.2	Trust: 0.3
vendor:	cisco	model:	web security appliance	scope:	eq	version:	7.1.1	Trust: 0.3
vendor:	cisco	model:	web security appliance	scope:	eq	version:	7.1	Trust: 0.3
vendor:	cisco	model:	web security appliance	scope:	eq	version:	7.7	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.6.2	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.6.1	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.6	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.5.2	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.5.1	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.5	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.3.2	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.3.1	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.3	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.1.5	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.1.4	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.1.3	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.1.2	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.1.1	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	eq	version:	7.1	Trust: 0.3
vendor:	cisco	model:	content security management appliance	scope:	eq	version:	7.9.1	Trust: 0.3
vendor:	cisco	model:	content security management appliance	scope:	eq	version:	7.9	Trust: 0.3
vendor:	cisco	model:	content security management appliance	scope:	eq	version:	7.7.1	Trust: 0.3
vendor:	cisco	model:	content security management appliance	scope:	eq	version:	7.7	Trust: 0.3
vendor:	cisco	model:	content security management appliance	scope:	eq	version:	7.2.2	Trust: 0.3
vendor:	cisco	model:	content security management appliance	scope:	eq	version:	7.2.1	Trust: 0.3
vendor:	cisco	model:	content security management appliance	scope:	eq	version:	7.2	Trust: 0.3
vendor:	cisco	model:	web security appliance	scope:	ne	version:	7.7.0-550	Trust: 0.3
vendor:	cisco	model:	email security appliance	scope:	ne	version:	7.6.3-019	Trust: 0.3
vendor:	cisco	model:	content security management appliance	scope:	ne	version:	7.9.1-102	Trust: 0.3

sources: BID: 60805 // JVNDB: JVNDB-2013-003153 // CNNVD: CNNVD-201306-502 // NVD: CVE-2013-3384

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-3384
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-3384
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201306-502
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-63386
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-3384
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-63386
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-63386 // JVNDB: JVNDB-2013-003153 // CNNVD: CNNVD-201306-502 // NVD: CVE-2013-3384

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.9

sources: VULHUB: VHN-63386 // JVNDB: JVNDB-2013-003153 // NVD: CVE-2013-3384

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201306-502

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201306-502

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003153

PATCH

title:	29452	url:	http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=29452	Trust: 0.8
title:	cisco-sa-20130626-wsa	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-wsa	Trust: 0.8
title:	cisco-sa-20130626-sma	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-sma	Trust: 0.8
title:	cisco-sa-20130626-esa	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-esa	Trust: 0.8
title:	29746	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=29746	Trust: 0.8
title:	cisco-sa-20130626-sma	url:	http://www.cisco.com/cisco/web/support/JP/111/1118/1118426_cisco-sa-20130626-sma-j.html	Trust: 0.8
title:	cisco-sa-20130626-wsa	url:	http://www.cisco.com/cisco/web/support/JP/111/1118/1118424_cisco-sa-20130626-wsa-j.html	Trust: 0.8
title:	cisco-sa-20130626-esa	url:	http://www.cisco.com/cisco/web/support/JP/111/1118/1118427_cisco-sa-20130626-esa-j.html	Trust: 0.8
title:	Cisco AsyncOS Fixes for code injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=186286	Trust: 0.6

sources: JVNDB: JVNDB-2013-003153 // CNNVD: CNNVD-201306-502

EXTERNAL IDS

db:	NVD	id:	CVE-2013-3384	Trust: 2.8
db:	BID	id:	60805	Trust: 1.0
db:	JVNDB	id:	JVNDB-2013-003153	Trust: 0.8
db:	CNNVD	id:	CNNVD-201306-502	Trust: 0.7
db:	CISCO	id:	20130626 MULTIPLE VULNERABILITIES IN CISCO EMAIL SECURITY APPLIANCE	Trust: 0.6
db:	CISCO	id:	20130626 MULTIPLE VULNERABILITIES IN CISCO WEB SECURITY APPLIANCE	Trust: 0.6
db:	CISCO	id:	20130626 MULTIPLE VULNERABILITIES IN CISCO CONTENT SECURITY MANAGEMENT APPLIANCE	Trust: 0.6
db:	SEEBUG	id:	SSVID-60868	Trust: 0.1
db:	VULHUB	id:	VHN-63386	Trust: 0.1

sources: VULHUB: VHN-63386 // BID: 60805 // JVNDB: JVNDB-2013-003153 // CNNVD: CNNVD-201306-502 // NVD: CVE-2013-3384

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20130626-sma	Trust: 1.7
url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20130626-esa	Trust: 1.7
url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20130626-wsa	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3384	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3384	Trust: 0.8
url:	http://www.securityfocus.com/bid/60805	Trust: 0.6
url:	http://www.cisco.com	Trust: 0.3

sources: VULHUB: VHN-63386 // BID: 60805 // JVNDB: JVNDB-2013-003153 // CNNVD: CNNVD-201306-502 // NVD: CVE-2013-3384

CREDITS

Cisco

Trust: 0.9

sources: BID: 60805 // CNNVD: CNNVD-201306-502

SOURCES

db:	VULHUB	id:	VHN-63386
db:	BID	id:	60805
db:	JVNDB	id:	JVNDB-2013-003153
db:	CNNVD	id:	CNNVD-201306-502
db:	NVD	id:	CVE-2013-3384

LAST UPDATE DATE

2024-08-14T14:28:03.138000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-63386	date:	2018-10-30T00:00:00
db:	BID	id:	60805	date:	2013-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2013-003153	date:	2013-07-01T00:00:00
db:	CNNVD	id:	CNNVD-201306-502	date:	2022-03-21T00:00:00
db:	NVD	id:	CVE-2013-3384	date:	2018-10-30T16:27:22.513

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-63386	date:	2013-06-27T00:00:00
db:	BID	id:	60805	date:	2013-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2013-003153	date:	2013-07-01T00:00:00
db:	CNNVD	id:	CNNVD-201306-502	date:	2013-06-28T00:00:00
db:	NVD	id:	CVE-2013-3384	date:	2013-06-27T21:55:07.023