Details of VAR-201404-0571

ID

VAR-201404-0571

CVE

CVE-2014-2127

TITLE

Cisco Adaptive Security Appliance Vulnerability gained privilege in software

Trust: 0.8

sources: JVNDB: JVNDB-2014-001940

DESCRIPTION

Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099. Cisco Adaptive Security Appliance is prone to a remote privilege-escalation vulnerability. A remote attacker can exploit this issue to gain administrative access to affected devices. This issue is tracked by Cisco Bug ID CSCul70099. The following versions are affected: Cisco ASA Software 8.0, 8.1, 8.2, 8.3 (2.40) before 8.3, 8.4, 8.6, 9.0, 9.1 before 9.1 (4.3)

Trust: 1.98

sources: NVD: CVE-2014-2127 // JVNDB: JVNDB-2014-001940 // BID: 66748 // VULHUB: VHN-70066

AFFECTED PRODUCTS

vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.6	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.0	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.2	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.1	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.3\(1\)	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.0	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.4	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.0(4.1)	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	8.3	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	8.x	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.6(1.13)	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.0	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.4(7.9)	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.3(2.40)	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	8.4	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.1	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1(4.3)	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	8.6	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.2(5.48)	Trust: 0.8

sources: JVNDB: JVNDB-2014-001940 // CNNVD: CNNVD-201404-114 // NVD: CVE-2014-2127

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2127
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-2127
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201404-114
value:	HIGH
Trust: 0.6
VULHUB:	VHN-70066
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-2127
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-70066
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-70066 // JVNDB: JVNDB-2014-001940 // CNNVD: CNNVD-201404-114 // NVD: CVE-2014-2127

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-70066 // JVNDB: JVNDB-2014-001940 // NVD: CVE-2014-2127

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201404-114

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201404-114

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001940

PATCH

title:	cisco-sa-20140409-asa	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa	Trust: 0.8
title:	33623	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=33623	Trust: 0.8
title:	cisco-sa-20140409-asa	url:	http://www.cisco.com/cisco/web/support/JP/112/1122/1122330_cisco-sa-20140409-asa-j.html	Trust: 0.8

sources: JVNDB: JVNDB-2014-001940

EXTERNAL IDS

db:	NVD	id:	CVE-2014-2127	Trust: 2.8
db:	JVNDB	id:	JVNDB-2014-001940	Trust: 0.8
db:	CNNVD	id:	CNNVD-201404-114	Trust: 0.7
db:	CISCO	id:	20140409 MULTIPLE VULNERABILITIES IN CISCO ASA SOFTWARE	Trust: 0.6
db:	NSFOCUS	id:	26480	Trust: 0.6
db:	BID	id:	66748	Trust: 0.4
db:	SEEBUG	id:	SSVID-62155	Trust: 0.1
db:	VULHUB	id:	VHN-70066	Trust: 0.1

sources: VULHUB: VHN-70066 // BID: 66748 // JVNDB: JVNDB-2014-001940 // CNNVD: CNNVD-201404-114 // NVD: CVE-2014-2127

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20140409-asa	Trust: 2.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2127	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2127	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/26480	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-70066 // BID: 66748 // JVNDB: JVNDB-2014-001940 // CNNVD: CNNVD-201404-114 // NVD: CVE-2014-2127

CREDITS

Jonathan Claudius from Trustwave SpiderLabs and Laura Guay from Dell SecureWorks

Trust: 0.3

sources: BID: 66748

SOURCES

db:	VULHUB	id:	VHN-70066
db:	BID	id:	66748
db:	JVNDB	id:	JVNDB-2014-001940
db:	CNNVD	id:	CNNVD-201404-114
db:	NVD	id:	CVE-2014-2127

LAST UPDATE DATE

2024-11-23T22:23:06.189000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-70066	date:	2014-04-10T00:00:00
db:	BID	id:	66748	date:	2014-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2014-001940	date:	2014-04-11T00:00:00
db:	CNNVD	id:	CNNVD-201404-114	date:	2014-04-15T00:00:00
db:	NVD	id:	CVE-2014-2127	date:	2024-11-21T02:05:42.273

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-70066	date:	2014-04-10T00:00:00
db:	BID	id:	66748	date:	2014-04-09T00:00:00
db:	JVNDB	id:	JVNDB-2014-001940	date:	2014-04-11T00:00:00
db:	CNNVD	id:	CNNVD-201404-114	date:	2014-04-15T00:00:00
db:	NVD	id:	CVE-2014-2127	date:	2014-04-10T04:34:50.960