Sign-up

ID

VAR-201411-0246


CVE

CVE-2014-7991


TITLE

Cisco Unified Communications Manager of Remote Mobile Access Subsystem In VCS core Device forgery vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-005455

DESCRIPTION

The Remote Mobile Access Subsystem in Cisco Unified Communications Manager (CM) 10.0(1) and earlier does not properly validate the Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof VCS core devices via a crafted certificate issued by a legitimate Certification Authority, aka Bug ID CSCuq86376. Cisco Unified Communications Manager is prone to a security-bypass vulnerability. An attacker can exploit this issue to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. This issue is being tracked by Cisco Bug ID CSCuq86376. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution. There is a security vulnerability in the Remote Mobile Access Subsystem of CUCM 10.0(1) and earlier versions. The vulnerability is caused by the fact that the program does not correctly verify the Subject Alternative Name (SAN) field of the X.509 certificate

Trust: 1.98

sources: NVD: CVE-2014-7991 // JVNDB: JVNDB-2014-005455 // BID: 71013 // VULHUB: VHN-75936

AFFECTED PRODUCTS

vendor:ciscomodel:unified communications managerscope:eqversion:10.0

Trust: 1.6

vendor:ciscomodel:unified communications managerscope:lteversion:10.0\(1\)

Trust: 1.0

vendor:ciscomodel:unified communications managerscope:lteversion:10.0(1)

Trust: 0.8

vendor:ciscomodel:unified communications managerscope:eqversion:10.0\(1\)

Trust: 0.6

sources: JVNDB: JVNDB-2014-005455 // CNNVD: CNNVD-201411-209 // NVD: CVE-2014-7991

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-7991
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-7991
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201411-209
value: MEDIUM

Trust: 0.6

VULHUB: VHN-75936
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-7991
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-75936
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-75936 // JVNDB: JVNDB-2014-005455 // CNNVD: CNNVD-201411-209 // NVD: CVE-2014-7991

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.9

sources: VULHUB: VHN-75936 // JVNDB: JVNDB-2014-005455 // NVD: CVE-2014-7991

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-209

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201411-209

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-005455

PATCH
title:Cisco Unified Communications Manager Remote Mobile Access Subsystem Vulnerabilityurl:http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-7991
Trust: 0.8
title:36381url:http://tools.cisco.com/security/center/viewAlert.x?alertId=36381
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-005455

EXTERNAL IDS
db:NVDid:CVE-2014-7991
Trust: 2.8
db:BIDid:71013
Trust: 1.4
db:SECTRACKid:1031181
Trust: 1.1
db:SECUNIAid:62267
Trust: 1.1
db:JVNDBid:JVNDB-2014-005455
Trust: 0.8
db:CNNVDid:CNNVD-201411-209
Trust: 0.7
db:VULHUBid:VHN-75936
Trust: 0.1
sources:
            
            
            VULHUB: VHN-75936 // 
            
            
            
            BID: 71013 // 
            
            
            
            JVNDB: JVNDB-2014-005455 // 
            
            
            
            CNNVD: CNNVD-201411-209 // 
            
            
            
            NVD: CVE-2014-7991

REFERENCES
url:http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-7991
Trust: 1.7
url:http://tools.cisco.com/security/center/viewalert.x?alertid=36381
Trust: 1.7
url:http://www.securityfocus.com/bid/71013
Trust: 1.1
url:http://www.securitytracker.com/id/1031181
Trust: 1.1
url:http://secunia.com/advisories/62267
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/98574
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-7991
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-7991
Trust: 0.8
url:www.cisco.com
Trust: 0.3
sources:
            
            
            VULHUB: VHN-75936 // 
            
            
            
            BID: 71013 // 
            
            
            
            JVNDB: JVNDB-2014-005455 // 
            
            
            
            CNNVD: CNNVD-201411-209 // 
            
            
            
            NVD: CVE-2014-7991

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 71013

SOURCES
db:VULHUBid:VHN-75936
db:BIDid:71013
db:JVNDBid:JVNDB-2014-005455
db:CNNVDid:CNNVD-201411-209
db:NVDid:CVE-2014-7991

LAST UPDATE DATE
2024-11-23T22:08:12.859000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-75936date:2017-09-08T00:00:00
db:BIDid:71013date:2014-11-12T00:58:00
db:JVNDBid:JVNDB-2014-005455date:2014-11-17T00:00:00
db:CNNVDid:CNNVD-201411-209date:2014-11-14T00:00:00
db:NVDid:CVE-2014-7991date:2024-11-21T02:18:23.403

SOURCES RELEASE DATE
db:VULHUBid:VHN-75936date:2014-11-14T00:00:00
db:BIDid:71013date:2014-11-10T00:00:00
db:JVNDBid:JVNDB-2014-005455date:2014-11-17T00:00:00
db:CNNVDid:CNNVD-201411-209date:2014-11-14T00:00:00
db:NVDid:CVE-2014-7991date:2014-11-14T00:59:03.807