Details of VAR-201405-0303

ID

VAR-201405-0303

CVE

CVE-2014-2882

TITLE

Citrix NetScaler Application Delivery Controller and NetScaler Gateway Management GUI Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2014-002346

DESCRIPTION

Unspecified vulnerability in the management GUI in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway before 9.3-66.5 and 10.x before 10.1-122.17 has unspecified impact and vectors, related to certificate validation. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. There are currently no details about this vulnerability. Please keep an eye on the cnnvd website or manufacturer announcements. Vulnerability title: Lack of SSL Certificate Validation in Citrix Netscaler CVE: CVE-2014-2882 Vendor: Citrix Product: Netscaler Affected version: All prior to 10.1-122.17/9.3-66.5 Fixed version: 10.1-122.17/9.3-66.5 Reported by: Graham Sutherland Details: The remote configuration Java applet assigns an empty trust manager to its SSL context, causing it to accept any certificate regardless of validity. Further details at: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2882/ Copyright: Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information

Trust: 2.07

sources: NVD: CVE-2014-2882 // JVNDB: JVNDB-2014-002346 // BID: 67160 // VULHUB: VHN-70821 // PACKETSTORM: 126519

AFFECTED PRODUCTS

vendor:	citrix	model:	netscaler application delivery controller	scope:	eq	version:	10.1	Trust: 1.6
vendor:	citrix	model:	netscaler access gateway	scope:	eq	version:	9.3	Trust: 1.6
vendor:	citrix	model:	netscaler application delivery controller	scope:	lte	version:	9.3.e	Trust: 1.0
vendor:	citrix	model:	netscaler access gateway	scope:	lte	version:	10.1.e	Trust: 1.0
vendor:	citrix	model:	netscaler access gateway	scope:	eq	version:	-	Trust: 1.0
vendor:	citrix	model:	netscaler application delivery controller	scope:	eq	version:	-	Trust: 1.0
vendor:	citrix	model:	netscaler gateway	scope:	eq	version:	10.1-122.17	Trust: 0.8
vendor:	citrix	model:	netscaler application delivery controller	scope:	eq	version:	10.1-122.17	Trust: 0.8
vendor:	citrix	model:	netscaler gateway	scope:	lt	version:	of 10.x	Trust: 0.8
vendor:	citrix	model:	netscaler application delivery controller	scope:	lt	version:	of 10.x	Trust: 0.8
vendor:	citrix	model:	netscaler access gateway	scope:	eq	version:	10.1.e	Trust: 0.6
vendor:	citrix	model:	netscaler application delivery controller	scope:	eq	version:	9.3.e	Trust: 0.6
vendor:	citrix	model:	access gateway enterprise edition	scope:	eq	version:	9.2	Trust: 0.3

sources: BID: 67160 // JVNDB: JVNDB-2014-002346 // CNNVD: CNNVD-201405-003 // NVD: CVE-2014-2882

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2882
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-2882
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201405-003
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-70821
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-2882
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2014-2882
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-70821
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-70821 // JVNDB: JVNDB-2014-002346 // CNNVD: CNNVD-201405-003 // NVD: CVE-2014-2882

PROBLEMTYPE DATA

problemtype:

NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2014-2882

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 126519 // CNNVD: CNNVD-201405-003

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201405-003

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002346

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-70821

PATCH

title:	CTX140651	url:	http://support.citrix.com/article/CTX140651	Trust: 0.8
title:	agee-9.3-66.5	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49707	Trust: 0.6

sources: JVNDB: JVNDB-2014-002346 // CNNVD: CNNVD-201405-003

EXTERNAL IDS

db:	NVD	id:	CVE-2014-2882	Trust: 2.9
db:	SECTRACK	id:	1030180	Trust: 1.7
db:	JVNDB	id:	JVNDB-2014-002346	Trust: 0.8
db:	CNNVD	id:	CNNVD-201405-003	Trust: 0.7
db:	BID	id:	67160	Trust: 0.4
db:	PACKETSTORM	id:	126519	Trust: 0.2
db:	VULHUB	id:	VHN-70821	Trust: 0.1

sources: VULHUB: VHN-70821 // BID: 67160 // JVNDB: JVNDB-2014-002346 // PACKETSTORM: 126519 // CNNVD: CNNVD-201405-003 // NVD: CVE-2014-2882

REFERENCES

url:	http://support.citrix.com/article/ctx140651	Trust: 1.7
url:	http://www.securitytracker.com/id/1030180	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2882	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2882	Trust: 0.8
url:	http://www.citrix.com/	Trust: 0.3
url:	https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2882/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-2882	Trust: 0.1

sources: VULHUB: VHN-70821 // BID: 67160 // JVNDB: JVNDB-2014-002346 // PACKETSTORM: 126519 // CNNVD: CNNVD-201405-003 // NVD: CVE-2014-2882

CREDITS

Graham Sutherland

Trust: 0.4

sources: BID: 67160 // PACKETSTORM: 126519

SOURCES

db:	VULHUB	id:	VHN-70821
db:	BID	id:	67160
db:	JVNDB	id:	JVNDB-2014-002346
db:	PACKETSTORM	id:	126519
db:	CNNVD	id:	CNNVD-201405-003
db:	NVD	id:	CVE-2014-2882

LAST UPDATE DATE

2024-11-23T22:18:37.115000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-70821	date:	2014-07-18T00:00:00
db:	BID	id:	67160	date:	2014-05-07T12:13:00
db:	JVNDB	id:	JVNDB-2014-002346	date:	2014-05-02T00:00:00
db:	CNNVD	id:	CNNVD-201405-003	date:	2014-05-06T00:00:00
db:	NVD	id:	CVE-2014-2882	date:	2024-11-21T02:07:07.550

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-70821	date:	2014-05-01T00:00:00
db:	BID	id:	67160	date:	2014-04-30T00:00:00
db:	JVNDB	id:	JVNDB-2014-002346	date:	2014-05-02T00:00:00
db:	PACKETSTORM	id:	126519	date:	2014-05-06T20:41:11
db:	CNNVD	id:	CNNVD-201405-003	date:	2014-05-06T00:00:00
db:	NVD	id:	CVE-2014-2882	date:	2014-05-01T17:28:36.383