Details of VAR-201504-0294

ID

VAR-201504-0294

CVE

CVE-2015-0675

TITLE

Cisco Adaptive Security Appliance Software of failover ipsec Vulnerabilities that gain management control in the implementation of

Trust: 0.8

sources: JVNDB: JVNDB-2015-002199

DESCRIPTION

The failover ipsec implementation in Cisco Adaptive Security Appliance (ASA) Software 9.1 before 9.1(6), 9.2 before 9.2(3.3), and 9.3 before 9.3(3) does not properly validate failover communication messages, which allows remote attackers to reconfigure an ASA device, and consequently obtain administrative control, by sending crafted UDP packets over the local network to the failover interface, aka Bug ID CSCur21069. Vendors have confirmed this vulnerability Bug ID CSCur21069 It is released as. Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. Cisco Adaptive Security Appliance is prone to a command-injection vulnerability. Successfully exploiting this issue may allow an attacker to execute arbitrary commands in context of the affected application. The following releases are affected: Cisco ASA Software 9.1 prior to 9.1(6), 9.2 prior to 9.2(3.3), and 9.3 prior to 9.3(3)

Trust: 1.98

sources: NVD: CVE-2015-0675 // JVNDB: JVNDB-2015-002199 // BID: 73969 // VULHUB: VHN-78621

AFFECTED PRODUCTS

vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.3.2	Trust: 1.9
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2.3	Trust: 1.9
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2.2	Trust: 1.9
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2.2.8	Trust: 1.9
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2.2.7	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.5.15	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.5.21	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.3.1.1	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.3.2.2	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2.2.4	Trust: 1.6
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.3.1	Trust: 1.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2.1	Trust: 1.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.5	Trust: 1.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.4	Trust: 1.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.3.2	Trust: 1.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.3	Trust: 1.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.2.8	Trust: 1.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.2	Trust: 1.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.1.4	Trust: 1.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.1	Trust: 1.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.4.5	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.5.10	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.5.12	Trust: 1.0
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1(6)	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2(3.3)	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.1	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.3	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.3(3)	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	lt	version:	9.2	Trust: 0.8
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.3.11	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2.27	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.2.24	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.515	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.512	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.510	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1.34	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance software	scope:	eq	version:	9.1	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance	scope:	eq	version:	9.3.2.2	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance	scope:	eq	version:	9.1.5.21	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance software	scope:	ne	version:	9.3(3)	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance software	scope:	ne	version:	9.1(6)	Trust: 0.3
vendor:	cisco	model:	adaptive security appliance	scope:	ne	version:	9.2(3.3)	Trust: 0.3

sources: BID: 73969 // JVNDB: JVNDB-2015-002199 // CNNVD: CNNVD-201504-190 // NVD: CVE-2015-0675

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-0675
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-0675
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201504-190
value:	HIGH
Trust: 0.6
VULHUB:	VHN-78621
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-0675
severity:	HIGH
baseScore:	8.3
vectorString:	AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-78621
severity:	HIGH
baseScore:	8.3
vectorString:	AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-78621 // JVNDB: JVNDB-2015-002199 // CNNVD: CNNVD-201504-190 // NVD: CVE-2015-0675

PROBLEMTYPE DATA

problemtype:	CWE-284	Trust: 1.1
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-78621 // JVNDB: JVNDB-2015-002199 // NVD: CVE-2015-0675

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201504-190

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201504-190

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002199

PATCH

title:	cisco-sa-20150408-asa	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa	Trust: 0.8
title:	38183	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=38183	Trust: 0.8
title:	cisco-sa-20150408-asa	url:	http://www.cisco.com/cisco/web/support/JP/112/1128/1128963_cisco-sa-20150408-asa-j.html	Trust: 0.8
title:	Cisco Adaptive Security Appliances failover ipsec Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=194140	Trust: 0.6

sources: JVNDB: JVNDB-2015-002199 // CNNVD: CNNVD-201504-190

EXTERNAL IDS

db:	NVD	id:	CVE-2015-0675	Trust: 2.8
db:	SECTRACK	id:	1032045	Trust: 1.7
db:	JVNDB	id:	JVNDB-2015-002199	Trust: 0.8
db:	CNNVD	id:	CNNVD-201504-190	Trust: 0.7
db:	BID	id:	73969	Trust: 0.4
db:	VULHUB	id:	VHN-78621	Trust: 0.1

sources: VULHUB: VHN-78621 // BID: 73969 // JVNDB: JVNDB-2015-002199 // CNNVD: CNNVD-201504-190 // NVD: CVE-2015-0675

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20150408-asa	Trust: 2.0
url:	http://www.securitytracker.com/id/1032045	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0675	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0675	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-78621 // BID: 73969 // JVNDB: JVNDB-2015-002199 // CNNVD: CNNVD-201504-190 // NVD: CVE-2015-0675

CREDITS

Alec Stuart-Muirk

Trust: 0.3

sources: BID: 73969

SOURCES

db:	VULHUB	id:	VHN-78621
db:	BID	id:	73969
db:	JVNDB	id:	JVNDB-2015-002199
db:	CNNVD	id:	CNNVD-201504-190
db:	NVD	id:	CVE-2015-0675

LAST UPDATE DATE

2024-11-23T22:08:08.087000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-78621	date:	2015-10-01T00:00:00
db:	BID	id:	73969	date:	2015-04-08T00:00:00
db:	JVNDB	id:	JVNDB-2015-002199	date:	2015-04-30T00:00:00
db:	CNNVD	id:	CNNVD-201504-190	date:	2022-05-30T00:00:00
db:	NVD	id:	CVE-2015-0675	date:	2024-11-21T02:23:30.980

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-78621	date:	2015-04-13T00:00:00
db:	BID	id:	73969	date:	2015-04-08T00:00:00
db:	JVNDB	id:	JVNDB-2015-002199	date:	2015-04-14T00:00:00
db:	CNNVD	id:	CNNVD-201504-190	date:	2015-04-14T00:00:00
db:	NVD	id:	CVE-2015-0675	date:	2015-04-13T01:59:00.063