Details of VAR-201410-0077

ID

VAR-201410-0077

CVE

CVE-2014-3390

TITLE

Cisco ASA Software Virtual Network Management Center In policy implementation Linux of root Vulnerability for which access rights are acquired

Trust: 0.8

sources: JVNDB: JVNDB-2014-004664

DESCRIPTION

The Virtual Network Management Center (VNMC) policy implementation in Cisco ASA Software 8.7 before 8.7(1.14), 9.2 before 9.2(2.8), and 9.3 before 9.3(1.1) allows local users to obtain Linux root access by leveraging administrative privileges and executing a crafted script, aka Bug IDs CSCuq41510 and CSCuq47574. A local attacker can exploit this issue to gain root privileges. This issue is being tracked by Cisco Bug IDs CSCuq41510 and CSCuq47574. Cisco ASA is a set of firewall equipment of Cisco (Cisco). The device also includes IPS (Intrusion Prevention System), SSL VPN, IPSec VPN, antispam, and more. The vulnerability is caused by the program not adequately filtering the input submitted by the user. The following versions are affected: Cisco ASA Software 8.7 prior to 8.7(1.14), 9.2 prior to 9.2(2.8), 9.3 prior to 9.3(1.1)

Trust: 1.98

sources: NVD: CVE-2014-3390 // JVNDB: JVNDB-2014-004664 // BID: 70296 // VULHUB: VHN-71330

AFFECTED PRODUCTS

vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.7.1.3	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.3.1	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2.2	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.7.8	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2.1	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2.2.4	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.7.1.7	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.7.1.4	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.7.1.11	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.7.1.13	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.3.1.1	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.7.1	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	8.7(1.14)	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance	scope:	-	version:	-	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	8.7	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.3(1.1)	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.3	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2(2.8)	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.2	Trust: 0.8

sources: JVNDB: JVNDB-2014-004664 // CNNVD: CNNVD-201410-213 // NVD: CVE-2014-3390

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-3390
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-3390
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201410-213
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-71330
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-3390
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:L/AC:L/AU:S/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-71330
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:L/AC:L/AU:S/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-71330 // JVNDB: JVNDB-2014-004664 // CNNVD: CNNVD-201410-213 // NVD: CVE-2014-3390

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-71330 // JVNDB: JVNDB-2014-004664 // NVD: CVE-2014-3390

THREAT TYPE

local

Trust: 0.9

sources: BID: 70296 // CNNVD: CNNVD-201410-213

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201410-213

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-004664

PATCH

title:	cisco-sa-20141008-asa	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa	Trust: 0.8
title:	35913	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=35913	Trust: 0.8
title:	cisco-sa-20141008-asa	url:	http://www.cisco.com/cisco/web/support/JP/112/1126/1126286_cisco-sa-20141008-asa-j.html	Trust: 0.8

sources: JVNDB: JVNDB-2014-004664

EXTERNAL IDS

db:	NVD	id:	CVE-2014-3390	Trust: 2.8
db:	JVNDB	id:	JVNDB-2014-004664	Trust: 0.8
db:	CNNVD	id:	CNNVD-201410-213	Trust: 0.7
db:	BID	id:	70296	Trust: 0.4
db:	VULHUB	id:	VHN-71330	Trust: 0.1

sources: VULHUB: VHN-71330 // BID: 70296 // JVNDB: JVNDB-2014-004664 // CNNVD: CNNVD-201410-213 // NVD: CVE-2014-3390

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20141008-asa	Trust: 2.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3390	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3390	Trust: 0.8
url:	http://www.cisco.com/en/us/products/ps12726/index.html	Trust: 0.3
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=35913	Trust: 0.3
url:	http://www.cisco.com	Trust: 0.3

sources: VULHUB: VHN-71330 // BID: 70296 // JVNDB: JVNDB-2014-004664 // CNNVD: CNNVD-201410-213 // NVD: CVE-2014-3390

CREDITS

Cisco

Trust: 0.3

sources: BID: 70296

SOURCES

db:	VULHUB	id:	VHN-71330
db:	BID	id:	70296
db:	JVNDB	id:	JVNDB-2014-004664
db:	CNNVD	id:	CNNVD-201410-213
db:	NVD	id:	CVE-2014-3390

LAST UPDATE DATE

2024-11-23T22:18:34.237000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-71330	date:	2014-10-13T00:00:00
db:	BID	id:	70296	date:	2014-10-08T00:00:00
db:	JVNDB	id:	JVNDB-2014-004664	date:	2014-10-14T00:00:00
db:	CNNVD	id:	CNNVD-201410-213	date:	2014-10-14T00:00:00
db:	NVD	id:	CVE-2014-3390	date:	2024-11-21T02:07:59.763

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-71330	date:	2014-10-10T00:00:00
db:	BID	id:	70296	date:	2014-10-08T00:00:00
db:	JVNDB	id:	JVNDB-2014-004664	date:	2014-10-14T00:00:00
db:	CNNVD	id:	CNNVD-201410-213	date:	2014-10-14T00:00:00
db:	NVD	id:	CVE-2014-3390	date:	2014-10-10T10:55:06.507