Sign-up

ID

VAR-201504-0274


CVE

CVE-2015-0694


TITLE

Cisco ASR 9000 Vulnerability in device software that prevents access to network resources

Trust: 0.8

sources: JVNDB: JVNDB-2015-002213

DESCRIPTION

Cisco ASR 9000 devices with software 5.3.0.BASE do not recognize that certain ACL entries have a single-host constraint, which allows remote attackers to bypass intended network-resource access restrictions by using an address that was not supposed to have been allowed, aka Bug ID CSCur28806. Vendors have confirmed this vulnerability Bug ID CSCur28806 It is released as. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlBy using an address that was not permitted by a third party, access to network resources may be circumvented. The Cisco ASR 9000 Series is an integrated services router solution from Cisco that uses the IOS XR Software module operating system to provide carrier-class reliability. A security vulnerability exists in the Object-ACL matching process of Cisco Aggregation Services Router 9000 (ASR9K), which is exploited by unauthenticated remote attackers to bypass security restrictions by configuring ACLs. Cisco ASR 9000 Series Routers are prone to a remote security-bypass vulnerability. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. The vulnerability is caused by the program not correctly recognizing certain ACL entries

Trust: 2.52

sources: NVD: CVE-2015-0694 // JVNDB: JVNDB-2015-002213 // CNVD: CNVD-2015-02383 // BID: 74029 // VULHUB: VHN-78640

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-02383

AFFECTED PRODUCTS

vendor:ciscomodel:ios xrscope:eqversion:5.3.0_base

Trust: 1.6

vendor:ciscomodel:asr 9001scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:asr 9912scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:asr 9922scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:asr 9006scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:asr 9904scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:asr 9010scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:asr 9001 routerscope: - version: -

Trust: 0.8

vendor:ciscomodel:asr 9006 routerscope: - version: -

Trust: 0.8

vendor:ciscomodel:asr 9010 routerscope: - version: -

Trust: 0.8

vendor:ciscomodel:asr 9904 routerscope: - version: -

Trust: 0.8

vendor:ciscomodel:asr 9912 routerscope: - version: -

Trust: 0.8

vendor:ciscomodel:asr 9922 routerscope: - version: -

Trust: 0.8

vendor:ciscomodel:ios xrscope:eqversion:5.3.0.base

Trust: 0.8

vendor:ciscomodel:asr 5.3.0.basescope:eqversion:9000

Trust: 0.6

vendor:ciscomodel:asr series aggregation services routersscope:eqversion:90005.3

Trust: 0.3

sources: CNVD: CNVD-2015-02383 // BID: 74029 // JVNDB: JVNDB-2015-002213 // CNNVD: CNNVD-201504-189 // NVD: CVE-2015-0694

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-0694
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-0694
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-02383
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201504-189
value: MEDIUM

Trust: 0.6

VULHUB: VHN-78640
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-0694
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-02383
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-78640
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2015-02383 // VULHUB: VHN-78640 // JVNDB: JVNDB-2015-002213 // CNNVD: CNNVD-201504-189 // NVD: CVE-2015-0694

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.1

problemtype:CWE-Other

Trust: 0.8

sources: VULHUB: VHN-78640 // JVNDB: JVNDB-2015-002213 // NVD: CVE-2015-0694

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201504-189

TYPE

Design Error

Trust: 0.3

sources: BID: 74029

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-002213

PATCH
title:38292url:http://tools.cisco.com/security/center/viewAlert.x?alertId=38292
Trust: 0.8
title:Cisco ASR ASR9K Security Bypass Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/57246
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-02383 // 
            
            
            
            JVNDB: JVNDB-2015-002213

EXTERNAL IDS
db:NVDid:CVE-2015-0694
Trust: 3.4
db:SECTRACKid:1032059
Trust: 1.1
db:BIDid:74029
Trust: 1.0
db:JVNDBid:JVNDB-2015-002213
Trust: 0.8
db:CNNVDid:CNNVD-201504-189
Trust: 0.7
db:CNVDid:CNVD-2015-02383
Trust: 0.6
db:VULHUBid:VHN-78640
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-02383 // 
            
            
            
            VULHUB: VHN-78640 // 
            
            
            
            BID: 74029 // 
            
            
            
            JVNDB: JVNDB-2015-002213 // 
            
            
            
            CNNVD: CNNVD-201504-189 // 
            
            
            
            NVD: CVE-2015-0694

REFERENCES
url:http://tools.cisco.com/security/center/viewalert.x?alertid=38292
Trust: 2.6
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0694
Trust: 1.4
url:http://www.securitytracker.com/id/1032059
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0694
Trust: 0.8
url:http://www.cisco.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2015-02383 // 
            
            
            
            VULHUB: VHN-78640 // 
            
            
            
            BID: 74029 // 
            
            
            
            JVNDB: JVNDB-2015-002213 // 
            
            
            
            CNNVD: CNNVD-201504-189 // 
            
            
            
            NVD: CVE-2015-0694

CREDITS
Cisco
Trust: 0.3
sources:
            
            
            BID: 74029

SOURCES
db:CNVDid:CNVD-2015-02383
db:VULHUBid:VHN-78640
db:BIDid:74029
db:JVNDBid:JVNDB-2015-002213
db:CNNVDid:CNNVD-201504-189
db:NVDid:CVE-2015-0694

LAST UPDATE DATE
2024-11-23T22:34:58.419000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-02383date:2015-04-14T00:00:00
db:VULHUBid:VHN-78640date:2015-09-29T00:00:00
db:BIDid:74029date:2015-04-10T00:00:00
db:JVNDBid:JVNDB-2015-002213date:2015-04-15T00:00:00
db:CNNVDid:CNNVD-201504-189date:2015-04-14T00:00:00
db:NVDid:CVE-2015-0694date:2024-11-21T02:23:33.090

SOURCES RELEASE DATE
db:CNVDid:CNVD-2015-02383date:2015-04-14T00:00:00
db:VULHUBid:VHN-78640date:2015-04-11T00:00:00
db:BIDid:74029date:2015-04-10T00:00:00
db:JVNDBid:JVNDB-2015-002213date:2015-04-15T00:00:00
db:CNNVDid:CNNVD-201504-189date:2015-04-14T00:00:00
db:NVDid:CVE-2015-0694date:2015-04-11T01:59:03.803