Details of VAR-201411-0383

ID

VAR-201411-0383

CVE

CVE-2014-8420

TITLE

plural Dell SonicWALL Product ViewPoint Web An arbitrary code execution vulnerability in an application

Trust: 0.8

sources: JVNDB: JVNDB-2014-005638

DESCRIPTION

The ViewPoint web application in Dell SonicWALL Global Management System (GMS) before 7.2 SP2, SonicWALL Analyzer before 7.2 SP2, and SonicWALL UMA before 7.2 SP2 allows remote authenticated users to execute arbitrary code via unspecified vectors. Authentication is required to exploit this vulnerability.The specific flaw exists within the GMS ViewPoint (GMSVP) web application. The issue lies in the handling of configuration input due to a failure to safely sanitize user data before executing a command. An attacker could leverage this vulnerability to execute code with root privileges on the underlying operating system. Multiple Dell SonicWALL Products are prone to multiple remote code-execution vulnerabilities. Successful exploitation can completely compromise the vulnerable device. GMS is a global management system for rapid deployment and centralized management of SonicWALL infrastructure. Analyzer is a set of network analyzer software for SonicWALL infrastructure. UMA is a set of universal management device software

Trust: 2.61

sources: NVD: CVE-2014-8420 // JVNDB: JVNDB-2014-005638 // ZDI: ZDI-14-385 // BID: 71241 // VULHUB: VHN-76365

AFFECTED PRODUCTS

vendor:	sonicwall	model:	uma em5000	scope:	eq	version:	-	Trust: 1.6
vendor:	sonicwall	model:	global management system	scope:	eq	version:	7.2	Trust: 1.6
vendor:	sonicwall	model:	analyzer	scope:	eq	version:	7.2	Trust: 1.6
vendor:	dell	model:	sonicwall analyzer	scope:	lt	version:	7.2 sp2	Trust: 0.8
vendor:	dell	model:	sonicwall global management system	scope:	lt	version:	7.2 sp2	Trust: 0.8
vendor:	dell	model:	sonicwall e-class universal management appliance em5000	scope:	lt	version:	7.2 sp2	Trust: 0.8
vendor:	sonicwall	model:	gms virtual appliance	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-14-385 // JVNDB: JVNDB-2014-005638 // CNNVD: CNNVD-201411-411 // NVD: CVE-2014-8420

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-8420
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-8420
value:	HIGH
Trust: 0.8
ZDI:	CVE-2014-8420
value:	HIGH
Trust: 0.7
CNNVD:	CNNVD-201411-411
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-76365
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-8420
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.5
VULHUB:	VHN-76365
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZDI: ZDI-14-385 // VULHUB: VHN-76365 // JVNDB: JVNDB-2014-005638 // CNNVD: CNNVD-201411-411 // NVD: CVE-2014-8420

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-76365 // JVNDB: JVNDB-2014-005638 // NVD: CVE-2014-8420

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-411

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201411-411

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005638

PATCH

title:

SonicWALL Analyzer Product Notification

url:

https://support.software.dell.com/product-notification/136814

Trust: 1.5

sources: ZDI: ZDI-14-385 // JVNDB: JVNDB-2014-005638

EXTERNAL IDS

db:	NVD	id:	CVE-2014-8420	Trust: 3.5
db:	ZDI	id:	ZDI-14-385	Trust: 3.5
db:	BID	id:	71241	Trust: 2.0
db:	JVNDB	id:	JVNDB-2014-005638	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2286	Trust: 0.7
db:	CNNVD	id:	CNNVD-201411-411	Trust: 0.7
db:	VULHUB	id:	VHN-76365	Trust: 0.1

sources: ZDI: ZDI-14-385 // VULHUB: VHN-76365 // BID: 71241 // JVNDB: JVNDB-2014-005638 // CNNVD: CNNVD-201411-411 // NVD: CVE-2014-8420

REFERENCES

url:	http://www.zerodayinitiative.com/advisories/zdi-14-385/	Trust: 2.8
url:	https://support.software.dell.com/product-notification/136814	Trust: 2.7
url:	http://www.securityfocus.com/bid/71241	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/98911	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8420	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8420	Trust: 0.8
url:	http://www.sonicwall.com/us/en/products/gms-series.html	Trust: 0.3

sources: ZDI: ZDI-14-385 // VULHUB: VHN-76365 // BID: 71241 // JVNDB: JVNDB-2014-005638 // CNNVD: CNNVD-201411-411 // NVD: CVE-2014-8420

CREDITS

Brandon Perry

Trust: 1.6

sources: ZDI: ZDI-14-385 // BID: 71241 // CNNVD: CNNVD-201411-411

SOURCES

db:	ZDI	id:	ZDI-14-385
db:	VULHUB	id:	VHN-76365
db:	BID	id:	71241
db:	JVNDB	id:	JVNDB-2014-005638
db:	CNNVD	id:	CNNVD-201411-411
db:	NVD	id:	CVE-2014-8420

LAST UPDATE DATE

2024-11-23T22:59:38.416000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-14-385	date:	2014-11-21T00:00:00
db:	VULHUB	id:	VHN-76365	date:	2018-03-12T00:00:00
db:	BID	id:	71241	date:	2014-11-21T00:00:00
db:	JVNDB	id:	JVNDB-2014-005638	date:	2014-11-27T00:00:00
db:	CNNVD	id:	CNNVD-201411-411	date:	2014-12-01T00:00:00
db:	NVD	id:	CVE-2014-8420	date:	2024-11-21T02:19:03.163

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-14-385	date:	2014-11-21T00:00:00
db:	VULHUB	id:	VHN-76365	date:	2014-11-25T00:00:00
db:	BID	id:	71241	date:	2014-11-21T00:00:00
db:	JVNDB	id:	JVNDB-2014-005638	date:	2014-11-27T00:00:00
db:	CNNVD	id:	CNNVD-201411-411	date:	2014-11-24T00:00:00
db:	NVD	id:	CVE-2014-8420	date:	2014-11-25T15:59:04.637