Details of VAR-201406-0323

ID

VAR-201406-0323

CVE

CVE-2014-2959

TITLE

Dell ML6000 and Quantum Scalar i500 tape backup system command injection vulnerability

Trust: 0.8

sources: CERT/CC: VU#124908

DESCRIPTION

logViewer.htm on the Dell ML6000 tape backup system with firmware before i8.2.0.2 (641G.GS103) and the Quantum Scalar i500 tape backup system with firmware before i8.2.2.1 (646G.GS002) allows remote attackers to execute arbitrary commands via shell metacharacters in a pathname parameter. Dell Provided by PowerVault ML6000 series and Quantum Provided by Scalar i500 In OS Command injection vulnerability (CWE-78) Exists. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') http://cwe.mitre.org/data/definitions/78.htmlAny information on the server by a remote third party OS The command may be executed. Successfully exploiting this issue may allow an attacker to execute arbitrary commands in the context of the affected device. The following products are vulnerable: Quantum Scalar i500 firmware versions i8.2.2 (645G.GS004) and prior Dell PowerVault ML6000 firmware version i8.2.0.1 (641G.GS003) and prior. The Dell PowerVault ML6000 and Quantum Scalar i500 are tape library products designed for high-capacity data storage and providing faster and more reliable data protection for storage environments

Trust: 2.7

sources: NVD: CVE-2014-2959 // CERT/CC: VU#124908 // JVNDB: JVNDB-2014-002686 // BID: 67751 // VULHUB: VHN-70898

AFFECTED PRODUCTS

vendor:	dell	model:	powervault ml6000	scope:	lte	version:	i8.2.0.1_\(641g.gs003\)	Trust: 1.0
vendor:	quantum	model:	scalar i500	scope:	eq	version:	14u	Trust: 1.0
vendor:	quantum	model:	scalar i500	scope:	eq	version:	5u	Trust: 1.0
vendor:	quantum	model:	scalar i500	scope:	eq	version:	23u	Trust: 1.0
vendor:	dell	model:	powervault ml6000	scope:	eq	version:	41u	Trust: 1.0
vendor:	quantum	model:	scalar i500	scope:	lte	version:	i8.2.2.1_\(646g.gs002\)	Trust: 1.0
vendor:	dell	model:	powervault ml6000	scope:	eq	version:	32u	Trust: 1.0
vendor:	dell computer	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	quantum	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	quantum	model:	scalar i500	scope:	-	version:	-	Trust: 0.8
vendor:	quantum	model:	scalar i500	scope:	lt	version:	i8.2.2.1 (646g.gs002) earlier	Trust: 0.8
vendor:	dell	model:	powervault ml6000	scope:	-	version:	-	Trust: 0.8
vendor:	dell	model:	powervault ml6000	scope:	lt	version:	i8.2.0.2 (641g.gs103) earlier	Trust: 0.8
vendor:	quantum	model:	scalar i500	scope:	eq	version:	i8.2.2.1_\(646g.gs002\)	Trust: 0.6

sources: CERT/CC: VU#124908 // JVNDB: JVNDB-2014-002686 // CNNVD: CNNVD-201406-022 // NVD: CVE-2014-2959

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-2959
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-2959
value:	HIGH
Trust: 0.8
IPA:	JVNDB-2014-002686
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201406-022
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-70898
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-2959
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2014-2959
severity:	HIGH
baseScore:	9.0
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
IPA:	JVNDB-2014-002686
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-70898
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#124908 // VULHUB: VHN-70898 // JVNDB: JVNDB-2014-002686 // CNNVD: CNNVD-201406-022 // NVD: CVE-2014-2959

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.9

sources: VULHUB: VHN-70898 // JVNDB: JVNDB-2014-002686 // NVD: CVE-2014-2959

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-022

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201406-022

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002686

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#124908

PATCH

title:	Dell PowerVault ML6000 Firmware Update, version A28	url:	http://www.dell.com/support/home/JP/ja/19/Drivers/DriversDetails?driverId=XCC7W&osCode=WNET&fileId=3369748178&languageCode=en&categoryId=TA	Trust: 0.8
title:	Scalar i500	url:	http://www.quantum.com/serviceandsupport/softwareanddocumentationdownloads/si500/index.aspx	Trust: 0.8

sources: JVNDB: JVNDB-2014-002686

EXTERNAL IDS

db:	CERT/CC	id:	VU#124908	Trust: 3.6
db:	NVD	id:	CVE-2014-2959	Trust: 2.8
db:	BID	id:	67751	Trust: 1.4
db:	SECUNIA	id:	59019	Trust: 1.1
db:	JVN	id:	JVNVU99779325	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-002686	Trust: 0.8
db:	CNNVD	id:	CNNVD-201406-022	Trust: 0.6
db:	VULHUB	id:	VHN-70898	Trust: 0.1

sources: CERT/CC: VU#124908 // VULHUB: VHN-70898 // BID: 67751 // JVNDB: JVNDB-2014-002686 // CNNVD: CNNVD-201406-022 // NVD: CVE-2014-2959

REFERENCES

url:	http://www.kb.cert.org/vuls/id/124908	Trust: 2.8
url:	http://www.quantum.com/serviceandsupport/softwareanddocumentationdownloads/si500/index.aspx	Trust: 1.9
url:	http://www.dell.com/support/drivers/us/en/19/driverdetails/product/powervault-ml6000?driverid=xcc7w&oscode=wnet&fileid=3369748178&languagecode=en&categoryid=ta	Trust: 1.6
url:	http://www.securityfocus.com/bid/67751	Trust: 1.1
url:	http://secunia.com/advisories/59019	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2959	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu99779325/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2959	Trust: 0.8
url:	http://dell.com	Trust: 0.3

sources: CERT/CC: VU#124908 // VULHUB: VHN-70898 // BID: 67751 // JVNDB: JVNDB-2014-002686 // CNNVD: CNNVD-201406-022 // NVD: CVE-2014-2959

CREDITS

Benjamin Buchanan

Trust: 0.3

sources: BID: 67751

SOURCES

db:	CERT/CC	id:	VU#124908
db:	VULHUB	id:	VHN-70898
db:	BID	id:	67751
db:	JVNDB	id:	JVNDB-2014-002686
db:	CNNVD	id:	CNNVD-201406-022
db:	NVD	id:	CVE-2014-2959

LAST UPDATE DATE

2025-04-13T23:18:21.780000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#124908	date:	2014-05-30T00:00:00
db:	VULHUB	id:	VHN-70898	date:	2014-06-26T00:00:00
db:	BID	id:	67751	date:	2014-05-30T00:00:00
db:	JVNDB	id:	JVNDB-2014-002686	date:	2014-06-04T00:00:00
db:	CNNVD	id:	CNNVD-201406-022	date:	2014-06-05T00:00:00
db:	NVD	id:	CVE-2014-2959	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#124908	date:	2014-05-30T00:00:00
db:	VULHUB	id:	VHN-70898	date:	2014-06-02T00:00:00
db:	BID	id:	67751	date:	2014-05-30T00:00:00
db:	JVNDB	id:	JVNDB-2014-002686	date:	2014-06-02T00:00:00
db:	CNNVD	id:	CNNVD-201406-022	date:	2014-06-05T00:00:00
db:	NVD	id:	CVE-2014-2959	date:	2014-06-02T19:55:03.500