Details of VAR-201401-0353

ID

VAR-201401-0353

CVE

CVE-2014-0648

TITLE

Cisco Secure Access Control System of RMI Vulnerabilities that can gain administrative access in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2014-001189

DESCRIPTION

The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authentication and authorization requirements, which allows remote attackers to obtain administrative access via a request to this interface, aka Bug ID CSCud75187. An attacker can exploit this issue to gain unauthorized user access to an affected application. Successful exploits will result in the complete compromise of an affected device. This issue is tracked by Cisco Bug ID CSCud75187. The system can respectively control network access and network device access through RADIUS and TACACS protocols. The vulnerability comes from the fact that the program does not perform authentication and authorization operations correctly

Trust: 2.52

sources: NVD: CVE-2014-0648 // JVNDB: JVNDB-2014-001189 // CNVD: CNVD-2014-00417 // BID: 64962 // VULHUB: VHN-68141

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-00417

AFFECTED PRODUCTS

vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.1	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.5	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.3	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2.0.26.1	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2.0.26.2	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.2	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2.0.26	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.4	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.4.0.46.2	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.1	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.6	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	lte	version:	5.4.0.46.6	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.8	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.4	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.4.0.46.5	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.5	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.4.0.46.3	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.3	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.4.0.46.1	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.4.0.46.4	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.9	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.2	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.7	Trust: 1.0
vendor:	cisco	model:	secure access control system software	scope:	eq	version:	5.5	Trust: 0.8
vendor:	cisco	model:	secure access control system software	scope:	lt	version:	5.x	Trust: 0.8
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.0-5.4	Trust: 0.6

sources: CNVD: CNVD-2014-00417 // JVNDB: JVNDB-2014-001189 // CNNVD: CNNVD-201401-348 // NVD: CVE-2014-0648

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-0648
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-0648
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2014-00417
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201401-348
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-68141
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-0648
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-00417
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-68141
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-00417 // VULHUB: VHN-68141 // JVNDB: JVNDB-2014-001189 // CNNVD: CNNVD-201401-348 // NVD: CVE-2014-0648

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-68141 // JVNDB: JVNDB-2014-001189 // NVD: CVE-2014-0648

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201401-348

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201401-348

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001189

PATCH

title:	32120	url:	http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=32120	Trust: 0.8
title:	cisco-sa-20140115-csacs	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140115-csacs	Trust: 0.8
title:	32379	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=32379	Trust: 0.8
title:	cisco-sa-20140115-csacs	url:	http://www.cisco.com/cisco/web/support/JP/112/1121/1121707_cisco-sa-20140115-csacs-j.html	Trust: 0.8
title:	Cisco Secure Access Control System RMI Interface does not verify patches for access vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/42560	Trust: 0.6

sources: CNVD: CNVD-2014-00417 // JVNDB: JVNDB-2014-001189

EXTERNAL IDS

db:	NVD	id:	CVE-2014-0648	Trust: 3.4
db:	BID	id:	64962	Trust: 2.0
db:	SECUNIA	id:	56213	Trust: 1.7
db:	SECTRACK	id:	1029634	Trust: 1.1
db:	OSVDB	id:	102117	Trust: 1.1
db:	JVNDB	id:	JVNDB-2014-001189	Trust: 0.8
db:	CNNVD	id:	CNNVD-201401-348	Trust: 0.7
db:	CNVD	id:	CNVD-2014-00417	Trust: 0.6
db:	CISCO	id:	20140115 MULTIPLE VULNERABILITIES IN CISCO SECURE ACCESS CONTROL SYSTEM	Trust: 0.6
db:	VULHUB	id:	VHN-68141	Trust: 0.1

sources: CNVD: CNVD-2014-00417 // VULHUB: VHN-68141 // BID: 64962 // JVNDB: JVNDB-2014-001189 // CNNVD: CNNVD-201401-348 // NVD: CVE-2014-0648

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20140115-csacs	Trust: 2.3
url:	http://secunia.com/advisories/56213	Trust: 1.7
url:	http://www.securityfocus.com/bid/64962	Trust: 1.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=32379	Trust: 1.1
url:	http://osvdb.org/102117	Trust: 1.1
url:	http://www.securitytracker.com/id/1029634	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/90431	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0648	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0648	Trust: 0.8
url:	https://tools.cisco.com/bugsearch/bug/cscud75187	Trust: 0.6

sources: CNVD: CNVD-2014-00417 // VULHUB: VHN-68141 // JVNDB: JVNDB-2014-001189 // CNNVD: CNNVD-201401-348 // NVD: CVE-2014-0648

CREDITS

Cisco

Trust: 0.3

sources: BID: 64962

SOURCES

db:	CNVD	id:	CNVD-2014-00417
db:	VULHUB	id:	VHN-68141
db:	BID	id:	64962
db:	JVNDB	id:	JVNDB-2014-001189
db:	CNNVD	id:	CNNVD-201401-348
db:	NVD	id:	CVE-2014-0648

LAST UPDATE DATE

2024-11-23T22:18:42.427000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-00417	date:	2014-01-17T00:00:00
db:	VULHUB	id:	VHN-68141	date:	2017-08-29T00:00:00
db:	BID	id:	64962	date:	2014-01-15T00:00:00
db:	JVNDB	id:	JVNDB-2014-001189	date:	2014-01-20T00:00:00
db:	CNNVD	id:	CNNVD-201401-348	date:	2014-01-22T00:00:00
db:	NVD	id:	CVE-2014-0648	date:	2024-11-21T02:02:34.990

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-00417	date:	2014-01-17T00:00:00
db:	VULHUB	id:	VHN-68141	date:	2014-01-16T00:00:00
db:	BID	id:	64962	date:	2014-01-15T00:00:00
db:	JVNDB	id:	JVNDB-2014-001189	date:	2014-01-20T00:00:00
db:	CNNVD	id:	CNNVD-201401-348	date:	2014-01-22T00:00:00
db:	NVD	id:	CVE-2014-0648	date:	2014-01-16T19:55:04.637