Details of VAR-201501-0290

ID

VAR-201501-0290

CVE

CVE-2014-3314

TITLE

Android and OS X Run on Cisco AnyConnect Vulnerabilities in which authentication forms are spoofed

Trust: 0.8

sources: JVNDB: JVNDB-2014-007677

DESCRIPTION

Cisco AnyConnect on Android and OS X does not properly verify the host type, which allows remote attackers to spoof authentication forms and possibly capture credentials via unspecified vectors, aka Bug IDs CSCuo24931 and CSCuo24940. Vendors have confirmed this vulnerability Bug ID CSCuo24931 and CSCuo24940 It is released as.A third party may spoof the authentication form and capture the authentication information. Cisco AnyConnect Secure Mobility Client is prone to a security vulnerability. An attacker may exploit this issue to bypass certain security restrictions and perform unauthorized actions. This issue is being tracked by Cisco Bug IDs CSCuo24931 and, CSCuo24940. Cisco AnyConnect on Android and OS X is a set of VPN applications based on the Android and OS X platforms of Cisco, which provides encrypted network connection functions. A security vulnerability exists in Cisco AnyConnect based on Android and OS X platforms. The vulnerability is caused by the program not validating the host type correctly

Trust: 1.98

sources: NVD: CVE-2014-3314 // JVNDB: JVNDB-2014-007677 // BID: 72059 // VULHUB: VHN-71254

AFFECTED PRODUCTS

vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.0 (android and os x)	Trust: 0.8
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	3.1 (android and os x)	Trust: 0.8
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	mac_os_x	Trust: 0.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	android	Trust: 0.6
vendor:	cisco	model:	anyconnect secure mobility client	scope:	eq	version:	0	Trust: 0.3

sources: BID: 72059 // JVNDB: JVNDB-2014-007677 // CNNVD: CNNVD-201501-302 // NVD: CVE-2014-3314

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-3314
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-3314
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201501-302
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-71254
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-3314
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-71254
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-71254 // JVNDB: JVNDB-2014-007677 // CNNVD: CNNVD-201501-302 // NVD: CVE-2014-3314

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-71254 // JVNDB: JVNDB-2014-007677 // NVD: CVE-2014-3314

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201501-302

TYPE

Input Validation Error

Trust: 0.9

sources: BID: 72059 // CNNVD: CNNVD-201501-302

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-007677

PATCH

title:	Cisco AnyConnect User Interface Dialog Rendered When Connecting to Arbitrary Hosts Vulnerability	url:	http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3314	Trust: 0.8
title:	37004	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=37004	Trust: 0.8
title:	Cisco AnyConnect Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=118317	Trust: 0.6

sources: JVNDB: JVNDB-2014-007677 // CNNVD: CNNVD-201501-302

EXTERNAL IDS

db:	NVD	id:	CVE-2014-3314	Trust: 2.8
db:	JVNDB	id:	JVNDB-2014-007677	Trust: 0.8
db:	CNNVD	id:	CNNVD-201501-302	Trust: 0.7
db:	BID	id:	72059	Trust: 0.4
db:	VULHUB	id:	VHN-71254	Trust: 0.1

sources: VULHUB: VHN-71254 // BID: 72059 // JVNDB: JVNDB-2014-007677 // CNNVD: CNNVD-201501-302 // NVD: CVE-2014-3314

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecuritynotice/cve-2014-3314	Trust: 2.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3314	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3314	Trust: 0.8
url:	http://www.cisco.com/c/en/us/products/security/anyconnect-secure-mobility-client/index.html	Trust: 0.3
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-71254 // BID: 72059 // JVNDB: JVNDB-2014-007677 // CNNVD: CNNVD-201501-302 // NVD: CVE-2014-3314

CREDITS

Cisco

Trust: 0.3

sources: BID: 72059

SOURCES

db:	VULHUB	id:	VHN-71254
db:	BID	id:	72059
db:	JVNDB	id:	JVNDB-2014-007677
db:	CNNVD	id:	CNNVD-201501-302
db:	NVD	id:	CVE-2014-3314

LAST UPDATE DATE

2024-11-23T23:02:42.245000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-71254	date:	2020-05-11T00:00:00
db:	BID	id:	72059	date:	2015-01-13T00:00:00
db:	JVNDB	id:	JVNDB-2014-007677	date:	2015-01-19T00:00:00
db:	CNNVD	id:	CNNVD-201501-302	date:	2020-05-12T00:00:00
db:	NVD	id:	CVE-2014-3314	date:	2024-11-21T02:07:50.927

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-71254	date:	2015-01-14T00:00:00
db:	BID	id:	72059	date:	2015-01-13T00:00:00
db:	JVNDB	id:	JVNDB-2014-007677	date:	2015-01-19T00:00:00
db:	CNNVD	id:	CNNVD-201501-302	date:	2015-01-15T00:00:00
db:	NVD	id:	CVE-2014-3314	date:	2015-01-14T19:59:00.053