Details of VAR-201401-0356

ID

VAR-201401-0356

CVE

CVE-2014-0650

TITLE

Cisco Secure Access Control System of Web Vulnerability to execute arbitrary operating system commands in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2014-001191

DESCRIPTION

The web interface in Cisco Secure Access Control System (ACS) 5.x before 5.4 Patch 3 allows remote attackers to execute arbitrary operating-system commands via a request to this interface, aka Bug ID CSCue65962. Cisco Secure ACS is a central management platform for Cisco network devices that controls device authentication and authorization. Successfully exploiting this issue may allow an attacker to execute arbitrary OS commands in context of the affected application. This issue is being tracked by Cisco bug ID CSCue65962. The system can respectively control network access and network device access through RADIUS and TACACS protocols. The vulnerability is caused by the program not validating the input adequately

Trust: 2.52

sources: NVD: CVE-2014-0650 // JVNDB: JVNDB-2014-001191 // CNVD: CNVD-2014-00415 // BID: 64964 // VULHUB: VHN-68143

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-00415

AFFECTED PRODUCTS

vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.8	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.1	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.5	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.3	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2.0.26.1	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2.0.26.2	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.2	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2.0.26	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.4	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.1	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.6	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.4	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	lte	version:	5.4.0.46.2	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.5	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.3	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.4.0.46.1	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.9	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.2	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.7	Trust: 1.0
vendor:	cisco	model:	secure access control system software	scope:	eq	version:	5.4 patch 3	Trust: 0.8
vendor:	cisco	model:	secure access control system software	scope:	lt	version:	5.x	Trust: 0.8
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.0-5.4	Trust: 0.6

sources: CNVD: CNVD-2014-00415 // JVNDB: JVNDB-2014-001191 // CNNVD: CNNVD-201401-350 // NVD: CVE-2014-0650

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-0650
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-0650
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2014-00415
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201401-350
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-68143
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-0650
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-00415
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-68143
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-00415 // VULHUB: VHN-68143 // JVNDB: JVNDB-2014-001191 // CNNVD: CNNVD-201401-350 // NVD: CVE-2014-0650

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-68143 // JVNDB: JVNDB-2014-001191 // NVD: CVE-2014-0650

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201401-350

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201401-350

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001191

PATCH

title:	32120	url:	http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=32120	Trust: 0.8
title:	cisco-sa-20140115-csacs	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140115-csacs	Trust: 0.8
title:	32380	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=32380	Trust: 0.8
title:	cisco-sa-20140115-csacs	url:	http://www.cisco.com/cisco/web/support/JP/112/1121/1121707_cisco-sa-20140115-csacs-j.html	Trust: 0.8
title:	Cisco Secure Access Control System Command Injection Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/42558	Trust: 0.6

sources: CNVD: CNVD-2014-00415 // JVNDB: JVNDB-2014-001191

EXTERNAL IDS

db:	NVD	id:	CVE-2014-0650	Trust: 3.4
db:	BID	id:	64964	Trust: 2.0
db:	SECUNIA	id:	56213	Trust: 1.7
db:	SECTRACK	id:	1029634	Trust: 1.1
db:	OSVDB	id:	102115	Trust: 1.1
db:	JVNDB	id:	JVNDB-2014-001191	Trust: 0.8
db:	CNNVD	id:	CNNVD-201401-350	Trust: 0.7
db:	CNVD	id:	CNVD-2014-00415	Trust: 0.6
db:	CISCO	id:	20140115 MULTIPLE VULNERABILITIES IN CISCO SECURE ACCESS CONTROL SYSTEM	Trust: 0.6
db:	VULHUB	id:	VHN-68143	Trust: 0.1

sources: CNVD: CNVD-2014-00415 // VULHUB: VHN-68143 // BID: 64964 // JVNDB: JVNDB-2014-001191 // CNNVD: CNNVD-201401-350 // NVD: CVE-2014-0650

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20140115-csacs	Trust: 2.3
url:	http://secunia.com/advisories/56213	Trust: 1.7
url:	http://www.securityfocus.com/bid/64964	Trust: 1.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=32380	Trust: 1.1
url:	http://osvdb.org/102115	Trust: 1.1
url:	http://www.securitytracker.com/id/1029634	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/90432	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0650	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0650	Trust: 0.8
url:	https://tools.cisco.com/bugsearch/bug/cscue65962	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2014-00415 // VULHUB: VHN-68143 // BID: 64964 // JVNDB: JVNDB-2014-001191 // CNNVD: CNNVD-201401-350 // NVD: CVE-2014-0650

CREDITS

Cisco

Trust: 0.3

sources: BID: 64964

SOURCES

db:	CNVD	id:	CNVD-2014-00415
db:	VULHUB	id:	VHN-68143
db:	BID	id:	64964
db:	JVNDB	id:	JVNDB-2014-001191
db:	CNNVD	id:	CNNVD-201401-350
db:	NVD	id:	CVE-2014-0650

LAST UPDATE DATE

2024-11-23T22:18:42.500000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-00415	date:	2014-01-17T00:00:00
db:	VULHUB	id:	VHN-68143	date:	2017-08-29T00:00:00
db:	BID	id:	64964	date:	2014-01-15T00:00:00
db:	JVNDB	id:	JVNDB-2014-001191	date:	2014-01-20T00:00:00
db:	CNNVD	id:	CNNVD-201401-350	date:	2014-01-22T00:00:00
db:	NVD	id:	CVE-2014-0650	date:	2024-11-21T02:02:35.237

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-00415	date:	2014-01-17T00:00:00
db:	VULHUB	id:	VHN-68143	date:	2014-01-16T00:00:00
db:	BID	id:	64964	date:	2014-01-15T00:00:00
db:	JVNDB	id:	JVNDB-2014-001191	date:	2014-01-20T00:00:00
db:	CNNVD	id:	CNNVD-201401-350	date:	2014-01-22T00:00:00
db:	NVD	id:	CVE-2014-0650	date:	2014-01-16T19:55:04.700