Details of VAR-201407-0031

ID

VAR-201407-0031

CVE

CVE-2014-3418

TITLE

Infoblox NetMRI Vulnerabilities that gain access

Trust: 0.8

sources: JVNDB: JVNDB-2014-003358

DESCRIPTION

config/userAdmin/login.tdf in Infoblox NetMRI before 6.8.5 allows remote attackers to execute arbitrary commands via shell metacharacters in the skipjackUsername parameter. Infoblox NetMRI Is "root" of MySQL There is a vulnerability in which access rights can be obtained because the default password of the administrator is used for the database account.Local users may be able to gain access. Infoblox Network Automation is a network automation product. Infoblox Network Automation failed to properly handle the input submitted by the user via the skipjackUsername POST parameter, allowing remote attackers to exploit the vulnerability to inject operating system commands to the root user. Multiple Infoblox Network Automation Products including NetMRI, Switch Port Manager, Automation Change Manager and Security Device Controller are prone to an OS command-injection vulnerability

Trust: 3.15

sources: NVD: CVE-2014-3418 // JVNDB: JVNDB-2014-003358 // JVNDB: JVNDB-2014-003357 // CNVD: CNVD-2014-04293 // BID: 68471

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-04293

AFFECTED PRODUCTS

vendor:	infoblox	model:	netmri	scope:	lt	version:	6.8.5	Trust: 1.6
vendor:	infoblox	model:	netmri	scope:	eq	version:	6.1.2	Trust: 1.6
vendor:	infoblox	model:	netmri	scope:	eq	version:	6.0.2.42	Trust: 1.6
vendor:	infoblox	model:	netmri	scope:	eq	version:	6.2.1	Trust: 1.6
vendor:	infoblox	model:	netmri	scope:	eq	version:	6.2.1.48	Trust: 1.6
vendor:	infoblox	model:	netmri	scope:	eq	version:	6.8.2.11	Trust: 1.6
vendor:	infoblox	model:	netmri	scope:	lte	version:	6.8.4	Trust: 1.0
vendor:	infoblox	model:	inc network automation	scope:	-	version:	-	Trust: 0.6
vendor:	infoblox	model:	netmri	scope:	eq	version:	6.8.4	Trust: 0.6

sources: CNVD: CNVD-2014-04293 // JVNDB: JVNDB-2014-003358 // JVNDB: JVNDB-2014-003357 // CNNVD: CNNVD-201407-343 // NVD: CVE-2014-3418

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2014-3418
value:	HIGH
Trust: 1.6
nvd@nist.gov:	CVE-2014-3418
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2014-04293
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201407-343
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2014-3418
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
NVD:	CVE-2014-3418
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2014-04293
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2014-04293 // JVNDB: JVNDB-2014-003358 // JVNDB: JVNDB-2014-003357 // CNNVD: CNNVD-201407-343 // NVD: CVE-2014-3418

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.8
problemtype:	CWE-255	Trust: 0.8

sources: JVNDB: JVNDB-2014-003358 // JVNDB: JVNDB-2014-003357 // NVD: CVE-2014-3418

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-343

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201407-343

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-003358

PATCH

title:	Infoblox NetMRI	url:	http://www.infoblox.jp/products/network-automation/netmri	Trust: 1.6
title:	Patch for Infoblox Network Automation product OS command injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/47486	Trust: 0.6

sources: CNVD: CNVD-2014-04293 // JVNDB: JVNDB-2014-003358 // JVNDB: JVNDB-2014-003357

EXTERNAL IDS

db:	NVD	id:	CVE-2014-3418	Trust: 4.1
db:	BID	id:	68471	Trust: 2.5
db:	EXPLOIT-DB	id:	34030	Trust: 1.6
db:	JVNDB	id:	JVNDB-2014-003358	Trust: 0.8
db:	JVNDB	id:	JVNDB-2014-003357	Trust: 0.8
db:	CNVD	id:	CNVD-2014-04293	Trust: 0.6
db:	XF	id:	94449	Trust: 0.6
db:	CNNVD	id:	CNNVD-201407-343	Trust: 0.6

sources: CNVD: CNVD-2014-04293 // BID: 68471 // JVNDB: JVNDB-2014-003358 // JVNDB: JVNDB-2014-003357 // CNNVD: CNNVD-201407-343 // NVD: CVE-2014-3418

REFERENCES

url:	https://github.com/depthsecurity/netmri-2014-3418	Trust: 3.5
url:	http://blog.depthsecurity.com/2014/07/os-command-injection-in-infoblox-netmri.html	Trust: 3.2
url:	http://www.exploit-db.com/exploits/34030	Trust: 1.6
url:	http://seclists.org/fulldisclosure/2014/jul/35	Trust: 1.6
url:	http://www.securityfocus.com/bid/68471	Trust: 1.6
url:	http://www.securityfocus.com/archive/1/archive/1/532709/100/0/threaded	Trust: 1.4
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/94449	Trust: 1.0
url:	http://www.securityfocus.com/archive/1/532709/100/0/threaded	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3419	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3419	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/532710/100/0/threaded	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3418	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3418	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/532710	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/94449	Trust: 0.6
url:	http://www.infoblox.com/en/products/netmri.html	Trust: 0.3

sources: CNVD: CNVD-2014-04293 // BID: 68471 // JVNDB: JVNDB-2014-003358 // JVNDB: JVNDB-2014-003357 // CNNVD: CNNVD-201407-343 // NVD: CVE-2014-3418

CREDITS

Nate Kettlewell of Depth Security.

Trust: 0.3

sources: BID: 68471

SOURCES

db:	CNVD	id:	CNVD-2014-04293
db:	BID	id:	68471
db:	JVNDB	id:	JVNDB-2014-003358
db:	JVNDB	id:	JVNDB-2014-003357
db:	CNNVD	id:	CNNVD-201407-343
db:	NVD	id:	CVE-2014-3418

LAST UPDATE DATE

2025-04-13T23:25:24.108000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-04293	date:	2014-07-16T00:00:00
db:	BID	id:	68471	date:	2014-07-09T00:00:00
db:	JVNDB	id:	JVNDB-2014-003358	date:	2014-07-16T00:00:00
db:	JVNDB	id:	JVNDB-2014-003357	date:	2014-07-16T00:00:00
db:	CNNVD	id:	CNNVD-201407-343	date:	2014-07-16T00:00:00
db:	NVD	id:	CVE-2014-3418	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2014-04293	date:	2014-07-16T00:00:00
db:	BID	id:	68471	date:	2014-07-09T00:00:00
db:	JVNDB	id:	JVNDB-2014-003358	date:	2014-07-16T00:00:00
db:	JVNDB	id:	JVNDB-2014-003357	date:	2014-07-16T00:00:00
db:	CNNVD	id:	CNNVD-201407-343	date:	2014-07-16T00:00:00
db:	NVD	id:	CVE-2014-3418	date:	2014-07-15T14:55:09.387