Sign-up

ID

VAR-200803-0288


CVE

CVE-2008-1114


TITLE

Vocera Communications Wireless Handset Hashed password stealing vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2008-006645

DESCRIPTION

Vocera Communications wireless handsets, when using Protected Extensible Authentication Protocol (PEAP), do not validate server certificates, which allows remote wireless access points to steal hashed passwords and conduct man-in-the-middle (MITM) attacks. Multiple VoIP products are prone to a security-bypass vulnerability in their PEAP implementation because their software fails to properly validate server certificates. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted authentication servers. This will aid in further attacks. The following products are prone to this issue: - Vocera Communications System badges - Cisco Wireless IP Phone 7921 Other devices and packages may also be affected

Trust: 1.98

sources: NVD: CVE-2008-1114 // JVNDB: JVNDB-2008-006645 // BID: 27935 // VULHUB: VHN-31239

AFFECTED PRODUCTS

vendor:voceramodel:wireless handsetscope:eqversion: -

Trust: 1.6

vendor:voceramodel:wireless handsetscope: - version: -

Trust: 0.8

vendor:voceramodel:communications vocera communications badgescope:eqversion:0

Trust: 0.3

vendor:ciscomodel:wireless ip phonescope:eqversion:79210

Trust: 0.3

sources: BID: 27935 // JVNDB: JVNDB-2008-006645 // CNNVD: CNNVD-200803-007 // NVD: CVE-2008-1114

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-1114
value: MEDIUM

Trust: 1.0

NVD: CVE-2008-1114
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200803-007
value: MEDIUM

Trust: 0.6

VULHUB: VHN-31239
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2008-1114
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-31239
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-31239 // JVNDB: JVNDB-2008-006645 // CNNVD: CNNVD-200803-007 // NVD: CVE-2008-1114

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-31239 // JVNDB: JVNDB-2008-006645 // NVD: CVE-2008-1114

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200803-007

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-200803-007

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2008-006645

PATCH
title:Top Pageurl:http://www.vocera.com/index.php
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2008-006645

EXTERNAL IDS
db:NVDid:CVE-2008-1114
Trust: 2.8
db:BIDid:27935
Trust: 2.0
db:JVNDBid:JVNDB-2008-006645
Trust: 0.8
db:CNNVDid:CNNVD-200803-007
Trust: 0.7
db:FULLDISCid:20080221 CISCO AND VOCERA WIRELESS LAN VOIP DEVICES DON'T CHECK CERTIFICATES
Trust: 0.6
db:VULHUBid:VHN-31239
Trust: 0.1
sources:
            
            
            VULHUB: VHN-31239 // 
            
            
            
            BID: 27935 // 
            
            
            
            JVNDB: JVNDB-2008-006645 // 
            
            
            
            CNNVD: CNNVD-200803-007 // 
            
            
            
            NVD: CVE-2008-1114

REFERENCES
url:http://blogs.zdnet.com/security/?p=896
Trust: 2.0
url:http://blogs.zdnet.com/security/?p=901
Trust: 2.0
url:http://www.securityfocus.com/bid/27935
Trust: 1.7
url:http://www.vocera.com/downloads/infrastructureguide.pdf
Trust: 1.7
url:http://seclists.org/fulldisclosure/2008/feb/0402.html
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1114
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-1114
Trust: 0.8
url:http://www.zdnet.com/blog/security/design-flaw-in-wireless-voip-handsets-endanger-the-enterprise/896
Trust: 0.8
url:http://lists.grok.org.uk/pipermail/full-disclosure/2008-february/060406.html
Trust: 0.3
url:http://lists.grok.org.uk/pipermail/full-disclosure/2008-february/060453.html
Trust: 0.3
url:http://vocera.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-31239 // 
            
            
            
            BID: 27935 // 
            
            
            
            JVNDB: JVNDB-2008-006645 // 
            
            
            
            CNNVD: CNNVD-200803-007 // 
            
            
            
            NVD: CVE-2008-1114

CREDITS
George Ou disclosed this issue.
Trust: 0.9
sources:
            
            
            BID: 27935 // 
            
            
            
            CNNVD: CNNVD-200803-007

SOURCES
db:VULHUBid:VHN-31239
db:BIDid:27935
db:JVNDBid:JVNDB-2008-006645
db:CNNVDid:CNNVD-200803-007
db:NVDid:CVE-2008-1114

LAST UPDATE DATE
2025-04-10T23:22:24.163000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-31239date:2013-01-03T00:00:00
db:BIDid:27935date:2016-07-06T14:17:00
db:JVNDBid:JVNDB-2008-006645date:2013-06-21T00:00:00
db:CNNVDid:CNNVD-200803-007date:2008-03-04T00:00:00
db:NVDid:CVE-2008-1114date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-31239date:2008-03-03T00:00:00
db:BIDid:27935date:2008-02-21T00:00:00
db:JVNDBid:JVNDB-2008-006645date:2013-06-21T00:00:00
db:CNNVDid:CNNVD-200803-007date:2008-03-03T00:00:00
db:NVDid:CVE-2008-1114date:2008-03-03T18:44:00