Details of VAR-201401-0098

ID

VAR-201401-0098

CVE

CVE-2013-3606

TITLE

Dell PowerConnect 3348, 3524p, and 5324 switches are vulnerable to denial-of-service attacks

Trust: 0.8

sources: CERT/CC: VU#122582

DESCRIPTION

The login page in the GoAhead web server on Dell PowerConnect 3348 1.2.1.3, 3524p 2.0.0.48, and 5324 2.0.1.4 switches allows remote attackers to cause a denial of service (device outage) via a long username. Dell PowerConnect 3348 version 1.2.1.3, PowerConnect 3524p version 2.0.0.48, PowerConnect 5324 version 2.0.1.4, and possibly earlier versions contain a denial-of-service (CWE-20) vulnerability.Dell OpenManage web application version 2.5 Build No. 1.19 and possibly earlier versions contain a denial-of-service (CWE-20) vulnerability.Dell GoAhead web server login page also contains a denial-of-service (CWE-20) vulnerability. Dell PowerConnect is a switch product developed by Dell. GoAhead WebServer is an open source embedded web server program that supports Active Server Pages, embedded Javascript, SSL authentication and encryption. A denial of service vulnerability exists in Dell's GoAhead Web Server. The WEB server crashes because the program submits a specially crafted HTTP POST request with a username greater than 16 characters. Successful exploits will cause the switch to become unresponsive until the device is reset, resulting in a denial-of-service condition. The following series of switches and versions are affected: Dell PowerConnect 3348 1.2.1.3, 3524p 2.0.0.48, 5324 2.0.1.4

Trust: 3.24

sources: NVD: CVE-2013-3606 // CERT/CC: VU#122582 // JVNDB: JVNDB-2014-001216 // CNVD: CNVD-2014-00468 // BID: 65075 // VULHUB: VHN-63608

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-00468

AFFECTED PRODUCTS

vendor:	dell	model:	powerconnect 3524p	scope:	eq	version:	2.0.0.48	Trust: 2.2
vendor:	dell	model:	powerconnect 5324	scope:	eq	version:	2.0.1.4	Trust: 1.6
vendor:	dell	model:	powerconnect 3348	scope:	eq	version:	1.2.1.3	Trust: 1.6
vendor:	dell	model:	goahead web server	scope:	-	version:	-	Trust: 1.4
vendor:	dell computer	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	dell	model:	powerconnect 3348	scope:	lte	version:	firmware 1.2.1.3	Trust: 0.8
vendor:	dell	model:	powerconnect 3524p	scope:	lte	version:	firmware 2.0.0.48	Trust: 0.8
vendor:	dell	model:	powerconnect 5324	scope:	lte	version:	firmware 2.0.1.4	Trust: 0.8
vendor:	dell	model:	powerconnect	scope:	eq	version:	33481.2.1.3	Trust: 0.6
vendor:	dell	model:	powerconnect	scope:	eq	version:	53242.0.1.4	Trust: 0.6

sources: CERT/CC: VU#122582 // CNVD: CNVD-2014-00468 // JVNDB: JVNDB-2014-001216 // CNNVD: CNNVD-201401-383 // NVD: CVE-2013-3606

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-3606
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-3606
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2014-00468
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201401-383
value:	HIGH
Trust: 0.6
VULHUB:	VHN-63608
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-3606
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-00468
severity:	HIGH
baseScore:	7.1
vectorString:	AV:N/AC:M/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-63608
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-00468 // VULHUB: VHN-63608 // JVNDB: JVNDB-2014-001216 // CNNVD: CNNVD-201401-383 // NVD: CVE-2013-3606

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 2.7

sources: CERT/CC: VU#122582 // VULHUB: VHN-63608 // JVNDB: JVNDB-2014-001216 // NVD: CVE-2013-3606

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201401-383

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201401-383

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001216

PATCH

title:	PowerConnect 3524P	url:	http://www.dell.com/support/drivers/us/en/04/Product/powerconnect-3524p	Trust: 0.8
title:	PowerConnect 5324	url:	http://www.dell.com/support/drivers/us/en/04/Product/powerconnect-5324	Trust: 0.8
title:	PowerConnect 3348	url:	http://www.dell.com/support/drivers/us/en/04/Product/powerconnect-3348	Trust: 0.8

sources: JVNDB: JVNDB-2014-001216

EXTERNAL IDS

db:	CERT/CC	id:	VU#122582	Trust: 3.9
db:	NVD	id:	CVE-2013-3606	Trust: 3.4
db:	JVN	id:	JVNVU95569358	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-001216	Trust: 0.8
db:	CNNVD	id:	CNNVD-201401-383	Trust: 0.7
db:	CNVD	id:	CNVD-2014-00468	Trust: 0.6
db:	BID	id:	65075	Trust: 0.4
db:	VULHUB	id:	VHN-63608	Trust: 0.1

sources: CERT/CC: VU#122582 // CNVD: CNVD-2014-00468 // VULHUB: VHN-63608 // BID: 65075 // JVNDB: JVNDB-2014-001216 // CNNVD: CNNVD-201401-383 // NVD: CVE-2013-3606

REFERENCES

url:	http://www.kb.cert.org/vuls/id/122582	Trust: 3.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/90598	Trust: 1.1
url:	http://cwe.mitre.org/data/definitions/20.html	Trust: 0.8
url:	http://www.dell.com/support/drivers/us/en/04/product/powerconnect-3348	Trust: 0.8
url:	http://www.dell.com/support/drivers/us/en/04/product/powerconnect-3524p	Trust: 0.8
url:	http://www.dell.com/support/drivers/us/en/04/product/powerconnect-5324	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3606	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu95569358	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3606	Trust: 0.8
url:	http://dell.com	Trust: 0.3

sources: CERT/CC: VU#122582 // CNVD: CNVD-2014-00468 // VULHUB: VHN-63608 // BID: 65075 // JVNDB: JVNDB-2014-001216 // CNNVD: CNNVD-201401-383 // NVD: CVE-2013-3606

CREDITS

Rijnard van Tonder

Trust: 0.3

sources: BID: 65075

SOURCES

db:	CERT/CC	id:	VU#122582
db:	CNVD	id:	CNVD-2014-00468
db:	VULHUB	id:	VHN-63608
db:	BID	id:	65075
db:	JVNDB	id:	JVNDB-2014-001216
db:	CNNVD	id:	CNNVD-201401-383
db:	NVD	id:	CVE-2013-3606

LAST UPDATE DATE

2025-04-11T22:48:24.556000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#122582	date:	2014-01-17T00:00:00
db:	CNVD	id:	CNVD-2014-00468	date:	2014-01-21T00:00:00
db:	VULHUB	id:	VHN-63608	date:	2017-08-29T00:00:00
db:	BID	id:	65075	date:	2014-01-17T00:00:00
db:	JVNDB	id:	JVNDB-2014-001216	date:	2014-01-22T00:00:00
db:	CNNVD	id:	CNNVD-201401-383	date:	2014-01-26T00:00:00
db:	NVD	id:	CVE-2013-3606	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#122582	date:	2014-01-17T00:00:00
db:	CNVD	id:	CNVD-2014-00468	date:	2014-01-21T00:00:00
db:	VULHUB	id:	VHN-63608	date:	2014-01-20T00:00:00
db:	BID	id:	65075	date:	2014-01-17T00:00:00
db:	JVNDB	id:	JVNDB-2014-001216	date:	2014-01-22T00:00:00
db:	CNNVD	id:	CNNVD-201401-383	date:	2014-01-26T00:00:00
db:	NVD	id:	CVE-2013-3606	date:	2014-01-20T04:58:49.697