Details of VAR-201401-0355

ID

VAR-201401-0355

CVE

CVE-2014-0649

TITLE

Cisco Secure Access Control System of RMI In the interface superadmin Vulnerabilities that gain access to

Trust: 0.8

sources: JVNDB: JVNDB-2014-001190

DESCRIPTION

The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authorization requirements, which allows remote authenticated users to obtain superadmin access via a request to this interface, aka Bug ID CSCud75180. Cisco Secure ACS is a central management platform for Cisco network devices that controls device authentication and authorization. A remote attacker can exploit this issue to gain access to affected devices with root-level privileges. This issue is tracked by Cisco Bug ID CSCud75180. The system can respectively control network access and network device access through RADIUS and TACACS protocols. The vulnerability is caused by the program not performing authentication operations correctly

Trust: 2.52

sources: NVD: CVE-2014-0649 // JVNDB: JVNDB-2014-001190 // CNVD: CNVD-2014-00416 // BID: 64958 // VULHUB: VHN-68142

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-00416

AFFECTED PRODUCTS

vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.1	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.5	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.3	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2.0.26.1	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2.0.26.2	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.2	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2.0.26	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.2	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44.4	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1.0.44	Trust: 1.6
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.4.0.46.3	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.9	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.5	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.4.0.46.4	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.1	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.8	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.2	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.3	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.6	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.4.0.46.1	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.4	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.4.0.46.2	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.3.0.40.7	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.1	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.4.0.46.5	Trust: 1.0
vendor:	cisco	model:	secure access control system	scope:	lte	version:	5.4.0.46.6	Trust: 1.0
vendor:	cisco	model:	secure access control system software	scope:	eq	version:	5.5	Trust: 0.8
vendor:	cisco	model:	secure access control system software	scope:	lt	version:	5.x	Trust: 0.8
vendor:	cisco	model:	secure access control system	scope:	eq	version:	5.0-5.4	Trust: 0.6

sources: CNVD: CNVD-2014-00416 // JVNDB: JVNDB-2014-001190 // CNNVD: CNNVD-201401-349 // NVD: CVE-2014-0649

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-0649
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-0649
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2014-00416
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201401-349
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-68142
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-0649
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-00416
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-68142
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2014-00416 // VULHUB: VHN-68142 // JVNDB: JVNDB-2014-001190 // CNNVD: CNNVD-201401-349 // NVD: CVE-2014-0649

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-68142 // JVNDB: JVNDB-2014-001190 // NVD: CVE-2014-0649

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201401-349

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201401-349

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-001190

PATCH

title:	32120	url:	http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=32120	Trust: 0.8
title:	cisco-sa-20140115-csacs	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140115-csacs	Trust: 0.8
title:	32378	url:	http://tools.cisco.com/security/center/viewAlert.x?alertId=32378	Trust: 0.8
title:	cisco-sa-20140115-csacs	url:	http://www.cisco.com/cisco/web/support/JP/112/1121/1121707_cisco-sa-20140115-csacs-j.html	Trust: 0.8
title:	Patch for the Cisco Secure Access Control System RMI Interface Remote Elevation of Privilege Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/42559	Trust: 0.6

sources: CNVD: CNVD-2014-00416 // JVNDB: JVNDB-2014-001190

EXTERNAL IDS

db:	NVD	id:	CVE-2014-0649	Trust: 3.4
db:	BID	id:	64958	Trust: 2.0
db:	SECUNIA	id:	56213	Trust: 1.7
db:	SECTRACK	id:	1029634	Trust: 1.1
db:	OSVDB	id:	102116	Trust: 1.1
db:	JVNDB	id:	JVNDB-2014-001190	Trust: 0.8
db:	CNNVD	id:	CNNVD-201401-349	Trust: 0.7
db:	CNVD	id:	CNVD-2014-00416	Trust: 0.6
db:	CISCO	id:	20140115 MULTIPLE VULNERABILITIES IN CISCO SECURE ACCESS CONTROL SYSTEM	Trust: 0.6
db:	VULHUB	id:	VHN-68142	Trust: 0.1

sources: CNVD: CNVD-2014-00416 // VULHUB: VHN-68142 // BID: 64958 // JVNDB: JVNDB-2014-001190 // CNNVD: CNNVD-201401-349 // NVD: CVE-2014-0649

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20140115-csacs	Trust: 2.3
url:	http://secunia.com/advisories/56213	Trust: 1.7
url:	http://www.securityfocus.com/bid/64958	Trust: 1.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=32378	Trust: 1.1
url:	http://osvdb.org/102116	Trust: 1.1
url:	http://www.securitytracker.com/id/1029634	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/90430	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0649	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0649	Trust: 0.8
url:	https://tools.cisco.com/bugsearch/bug/cscud75180	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.3

sources: CNVD: CNVD-2014-00416 // VULHUB: VHN-68142 // BID: 64958 // JVNDB: JVNDB-2014-001190 // CNNVD: CNNVD-201401-349 // NVD: CVE-2014-0649

CREDITS

Cisco

Trust: 0.3

sources: BID: 64958

SOURCES

db:	CNVD	id:	CNVD-2014-00416
db:	VULHUB	id:	VHN-68142
db:	BID	id:	64958
db:	JVNDB	id:	JVNDB-2014-001190
db:	CNNVD	id:	CNNVD-201401-349
db:	NVD	id:	CVE-2014-0649

LAST UPDATE DATE

2025-04-11T22:55:48.947000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-00416	date:	2014-01-17T00:00:00
db:	VULHUB	id:	VHN-68142	date:	2017-08-29T00:00:00
db:	BID	id:	64958	date:	2014-01-15T00:00:00
db:	JVNDB	id:	JVNDB-2014-001190	date:	2014-01-20T00:00:00
db:	CNNVD	id:	CNNVD-201401-349	date:	2014-01-22T00:00:00
db:	NVD	id:	CVE-2014-0649	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-00416	date:	2014-01-17T00:00:00
db:	VULHUB	id:	VHN-68142	date:	2014-01-16T00:00:00
db:	BID	id:	64958	date:	2014-01-15T00:00:00
db:	JVNDB	id:	JVNDB-2014-001190	date:	2014-01-20T00:00:00
db:	CNNVD	id:	CNNVD-201401-349	date:	2014-01-22T00:00:00
db:	NVD	id:	CVE-2014-0649	date:	2014-01-16T19:55:04.670