Details of VAR-201406-0355

ID

VAR-201406-0355

CVE

CVE-2014-3911

TITLE

Samsung iPOLiS Device Manager Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2014-002911

DESCRIPTION

Samsung iPOLiS Device Manager before 1.8.7 allow remote attackers to execute arbitrary code via unspecified values to the (1) Start, (2) ChangeControlLocalName, (3) DeleteDeviceProfile, (4) FrameAdvanceReader, or other unknown method in the XNSSDKDEVICE.XnsSdkDeviceCtrlForIpInstaller.1 ActiveX control. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the XNSSDKWINDOW.XnsSdkWindowCtrlForIpInstaller.1 ActiveX control. Samsung iPOLiS Device Manager is a webcam device management program. Failed exploit attempts will likely result in denial-of-service conditions

Trust: 5.58

sources: NVD: CVE-2014-3911 // JVNDB: JVNDB-2014-002911 // ZDI: ZDI-14-172 // ZDI: ZDI-14-167 // ZDI: ZDI-14-170 // ZDI: ZDI-14-168 // ZDI: ZDI-14-171 // CNVD: CNVD-2014-03532 // BID: 67822

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-03532

AFFECTED PRODUCTS

vendor:	samsung	model:	ipolis device manager	scope:	-	version:	-	Trust: 4.1
vendor:	samsung	model:	ipolis device manager	scope:	lte	version:	1.8.2	Trust: 1.0
vendor:	samsung	model:	ipolis device manager	scope:	lt	version:	1.8.7	Trust: 0.8
vendor:	samsung	model:	ipolis device manager	scope:	eq	version:	1.8.2	Trust: 0.6

sources: ZDI: ZDI-14-172 // ZDI: ZDI-14-167 // ZDI: ZDI-14-170 // ZDI: ZDI-14-168 // ZDI: ZDI-14-171 // CNVD: CNVD-2014-03532 // JVNDB: JVNDB-2014-002911 // CNNVD: CNNVD-201406-272 // NVD: CVE-2014-3911

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2014-3911
value:	HIGH
Trust: 3.5
nvd@nist.gov:	CVE-2014-3911
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-3911
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2014-03532
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201406-272
value:	CRITICAL
Trust: 0.6

ZDI:	CVE-2014-3911
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 3.5
nvd@nist.gov:	CVE-2014-3911
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-03532
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.8

sources: JVNDB: JVNDB-2014-002911 // NVD: CVE-2014-3911

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-272

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201406-272

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002911

PATCH

title:	iPOLiS Device Manager_v1.8.7_setup_Full.zip	url:	http://update.websamsung.net/Tools/iPOLiS%20Device%20Manager/iPOLiS%20Device%20Manager_v1.8.7_setup_Full.zip	Trust: 3.6
title:	Samsung has issued an update to correct this vulnerability.	url:	http://www.samsungsecurity.com/support/online_tool.asp	Trust: 0.7
title:	Samsung iPOLiS Device Manager ActiveX Control has multiple patches for remote code execution vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/46243	Trust: 0.6

sources: ZDI: ZDI-14-172 // ZDI: ZDI-14-167 // ZDI: ZDI-14-170 // ZDI: ZDI-14-168 // ZDI: ZDI-14-171 // CNVD: CNVD-2014-03532 // JVNDB: JVNDB-2014-002911

EXTERNAL IDS

db:	NVD	id:	CVE-2014-3911	Trust: 6.8
db:	ZDI	id:	ZDI-14-172	Trust: 3.7
db:	ZDI	id:	ZDI-14-167	Trust: 3.1
db:	ZDI	id:	ZDI-14-170	Trust: 3.1
db:	ZDI	id:	ZDI-14-168	Trust: 3.1
db:	ZDI	id:	ZDI-14-171	Trust: 3.1
db:	BID	id:	67822	Trust: 2.5
db:	JVNDB	id:	JVNDB-2014-002911	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2320	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2307	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2321	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2311	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2322	Trust: 0.7
db:	CNVD	id:	CNVD-2014-03532	Trust: 0.6
db:	CNNVD	id:	CNNVD-201406-272	Trust: 0.6

sources: ZDI: ZDI-14-172 // ZDI: ZDI-14-167 // ZDI: ZDI-14-170 // ZDI: ZDI-14-168 // ZDI: ZDI-14-171 // CNVD: CNVD-2014-03532 // BID: 67822 // JVNDB: JVNDB-2014-002911 // CNNVD: CNNVD-201406-272 // NVD: CVE-2014-3911

REFERENCES

url:	http://update.websamsung.net/tools/ipolis%20device%20manager/ipolis%20device%20manager_v1.8.7_setup_full.zip	Trust: 4.4
url:	http://www.zerodayinitiative.com/advisories/zdi-14-172/	Trust: 3.0
url:	http://www.zerodayinitiative.com/advisories/zdi-14-167/	Trust: 2.4
url:	http://www.zerodayinitiative.com/advisories/zdi-14-168/	Trust: 2.4
url:	http://www.zerodayinitiative.com/advisories/zdi-14-170/	Trust: 2.4
url:	http://www.zerodayinitiative.com/advisories/zdi-14-171/	Trust: 2.4
url:	http://www.securityfocus.com/bid/67822	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3911	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3911	Trust: 0.8
url:	http://www.samsungsecurity.com/support/online_tool.asp	Trust: 0.7

CREDITS

Ariele Caltabiano (kimiya) and Andrea Micalizzi (rgod)

Trust: 2.1

sources: ZDI: ZDI-14-172 // ZDI: ZDI-14-170 // ZDI: ZDI-14-171

SOURCES

db:	ZDI	id:	ZDI-14-172
db:	ZDI	id:	ZDI-14-167
db:	ZDI	id:	ZDI-14-170
db:	ZDI	id:	ZDI-14-168
db:	ZDI	id:	ZDI-14-171
db:	CNVD	id:	CNVD-2014-03532
db:	BID	id:	67822
db:	JVNDB	id:	JVNDB-2014-002911
db:	CNNVD	id:	CNNVD-201406-272
db:	NVD	id:	CVE-2014-3911

LAST UPDATE DATE

2025-04-13T23:39:45.884000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-14-172	date:	2014-06-04T00:00:00
db:	ZDI	id:	ZDI-14-167	date:	2014-06-04T00:00:00
db:	ZDI	id:	ZDI-14-170	date:	2014-06-04T00:00:00
db:	ZDI	id:	ZDI-14-168	date:	2014-06-04T00:00:00
db:	ZDI	id:	ZDI-14-171	date:	2014-06-04T00:00:00
db:	CNVD	id:	CNVD-2014-03532	date:	2014-06-10T00:00:00
db:	BID	id:	67822	date:	2014-08-27T00:23:00
db:	JVNDB	id:	JVNDB-2014-002911	date:	2014-06-16T00:00:00
db:	CNNVD	id:	CNNVD-201406-272	date:	2014-06-13T00:00:00
db:	NVD	id:	CVE-2014-3911	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-14-172	date:	2014-06-04T00:00:00
db:	ZDI	id:	ZDI-14-167	date:	2014-06-04T00:00:00
db:	ZDI	id:	ZDI-14-170	date:	2014-06-04T00:00:00
db:	ZDI	id:	ZDI-14-168	date:	2014-06-04T00:00:00
db:	ZDI	id:	ZDI-14-171	date:	2014-06-04T00:00:00
db:	CNVD	id:	CNVD-2014-03532	date:	2014-06-10T00:00:00
db:	BID	id:	67822	date:	2014-06-04T00:00:00
db:	JVNDB	id:	JVNDB-2014-002911	date:	2014-06-16T00:00:00
db:	CNNVD	id:	CNNVD-201406-272	date:	2014-06-13T00:00:00
db:	NVD	id:	CVE-2014-3911	date:	2014-06-11T14:55:09.097