Sign-up

ID

VAR-201405-0302


CVE

CVE-2014-2881


TITLE

Citrix NetScaler Application Delivery Controller and NetScaler Gateway Management GUI of Java Applet vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-002345

DESCRIPTION

Unspecified vulnerability in the Diffie-Hellman key agreement implementation in the management GUI Java applet in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway before 9.3-66.5 and 10.x before 10.1-122.17 has unknown impact and vectors. Citrix NetScaler is prone to an unspecified security vulnerability. Little is known about this issue or its effects at this time. We will update this BID as more information emerges. There are currently no details about this vulnerability. Please keep an eye on the cnnvd website or manufacturer announcements. Vulnerability title: Poor Quality Implementation of Diffie-Hellman Key Exchange in Citrix Netscaler CVE: CVE-2014-2881 Vendor: Citrix Product: Netscaler Affected version: All prior to 10.1-122.17/9.3-66.5 Fixed version: 10.1-122.17/9.3-66.5 Reported by: Graham Sutherland Details: The remote configuration Java applet contains a poor implementation of the Diffie-Hellman key exchange algorithm. The random number generator used to produce secret values is the java.util.Random class, which is not of cryptographic quality. Publicly known predictors exist for the underlying RNG, and the seed is either 32-bit or 48-bit depending on the host system. Furthermore, the selection of the secret 'a' value within the key generation process is potentially vulnerable to timing attacks that leak the RNG state, as the implementation loops until the RNG outputs a value within a publicly known range. Further details at: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2881/ Copyright: Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information

Trust: 2.07

sources: NVD: CVE-2014-2881 // JVNDB: JVNDB-2014-002345 // BID: 67156 // VULHUB: VHN-70820 // PACKETSTORM: 126518

AFFECTED PRODUCTS

vendor:citrixmodel:netscaler application delivery controllerscope:eqversion:10.1

Trust: 1.6

vendor:citrixmodel:netscaler access gatewayscope:eqversion:9.3

Trust: 1.6

vendor:citrixmodel:netscaler application delivery controllerscope:lteversion:9.3.e

Trust: 1.0

vendor:citrixmodel:netscaler access gatewayscope:lteversion:10.1.e

Trust: 1.0

vendor:citrixmodel:netscaler access gatewayscope:eqversion: -

Trust: 1.0

vendor:citrixmodel:netscaler application delivery controllerscope:eqversion: -

Trust: 1.0

vendor:citrixmodel:netscaler gatewayscope:eqversion:10.1-122.17

Trust: 0.8

vendor:citrixmodel:netscaler application delivery controllerscope:eqversion:10.1-122.17

Trust: 0.8

vendor:citrixmodel:netscaler gatewayscope:ltversion:of 10.x

Trust: 0.8

vendor:citrixmodel:netscaler application delivery controllerscope:ltversion:of 10.x

Trust: 0.8

vendor:citrixmodel:netscaler access gatewayscope:eqversion:10.1.e

Trust: 0.6

vendor:citrixmodel:netscaler application delivery controllerscope:eqversion:9.3.e

Trust: 0.6

vendor:citrixmodel:netscalerscope:eqversion:9.1.100.3

Trust: 0.3

vendor:citrixmodel:netscaler buildscope:eqversion:9.196.4

Trust: 0.3

vendor:citrixmodel:netscalerscope:eqversion:9.1

Trust: 0.3

vendor:citrixmodel:netscaler buildscope:eqversion:9.070.5

Trust: 0.3

vendor:citrixmodel:netscalerscope:eqversion:9.0

Trust: 0.3

sources: BID: 67156 // JVNDB: JVNDB-2014-002345 // CNNVD: CNNVD-201405-002 // NVD: CVE-2014-2881

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2881
value: HIGH

Trust: 1.0

NVD: CVE-2014-2881
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201405-002
value: CRITICAL

Trust: 0.6

VULHUB: VHN-70820
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-2881
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2014-2881
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-70820
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-70820 // JVNDB: JVNDB-2014-002345 // CNNVD: CNNVD-201405-002 // NVD: CVE-2014-2881

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2014-2881

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 126518 // CNNVD: CNNVD-201405-002

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201405-002

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002345

PATCH
title:CTX140651url:http://support.citrix.com/article/CTX140651
Trust: 0.8
title:agee-9.3-66.5url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49707
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2014-002345 // 
            
            
            
            CNNVD: CNNVD-201405-002

EXTERNAL IDS
db:NVDid:CVE-2014-2881
Trust: 2.9
db:SECTRACKid:1030180
Trust: 1.7
db:JVNDBid:JVNDB-2014-002345
Trust: 0.8
db:CNNVDid:CNNVD-201405-002
Trust: 0.7
db:BIDid:67156
Trust: 0.4
db:PACKETSTORMid:126518
Trust: 0.2
db:VULHUBid:VHN-70820
Trust: 0.1
sources:
            
            
            VULHUB: VHN-70820 // 
            
            
            
            BID: 67156 // 
            
            
            
            JVNDB: JVNDB-2014-002345 // 
            
            
            
            PACKETSTORM: 126518 // 
            
            
            
            CNNVD: CNNVD-201405-002 // 
            
            
            
            NVD: CVE-2014-2881

REFERENCES
url:http://support.citrix.com/article/ctx140651
Trust: 1.7
url:http://www.securitytracker.com/id/1030180
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2881
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2881
Trust: 0.8
url:http://www.citrix.com/english/ps2/products/product.asp?contentid=21679
Trust: 0.3
url:https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2881/
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-2881
Trust: 0.1
sources:
            
            
            VULHUB: VHN-70820 // 
            
            
            
            BID: 67156 // 
            
            
            
            JVNDB: JVNDB-2014-002345 // 
            
            
            
            PACKETSTORM: 126518 // 
            
            
            
            CNNVD: CNNVD-201405-002 // 
            
            
            
            NVD: CVE-2014-2881

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 67156

SOURCES
db:VULHUBid:VHN-70820
db:BIDid:67156
db:JVNDBid:JVNDB-2014-002345
db:PACKETSTORMid:126518
db:CNNVDid:CNNVD-201405-002
db:NVDid:CVE-2014-2881

LAST UPDATE DATE
2024-11-23T22:18:37.148000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-70820date:2014-07-18T00:00:00
db:BIDid:67156date:2014-04-30T00:00:00
db:JVNDBid:JVNDB-2014-002345date:2014-05-02T00:00:00
db:CNNVDid:CNNVD-201405-002date:2014-05-06T00:00:00
db:NVDid:CVE-2014-2881date:2024-11-21T02:07:07.400

SOURCES RELEASE DATE
db:VULHUBid:VHN-70820date:2014-05-01T00:00:00
db:BIDid:67156date:2014-04-30T00:00:00
db:JVNDBid:JVNDB-2014-002345date:2014-05-02T00:00:00
db:PACKETSTORMid:126518date:2014-05-06T20:38:29
db:CNNVDid:CNNVD-201405-002date:2014-05-06T00:00:00
db:NVDid:CVE-2014-2881date:2014-05-01T17:28:36.367