Details of VAR-201411-0385

ID

VAR-201411-0385

CVE

CVE-2014-8424

TITLE

ARRIS VAP2500 Vulnerabilities that bypass authentication

Trust: 0.8

sources: JVNDB: JVNDB-2014-005686

DESCRIPTION

ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of user authentication. The issue lies in the failure to compare the password when authenticating. An attacker can leverage this vulnerability to bypass authentication checks which can then be chained to execute code with root privileges. The Arris VAP2500 is a wireless access device from Arris, USA. Arris VAP2500 is prone to an authentication-bypass vulnerability

Trust: 3.15

sources: NVD: CVE-2014-8424 // JVNDB: JVNDB-2014-005686 // ZDI: ZDI-14-388 // CNVD: CNVD-2014-08575 // BID: 71297 // VULHUB: VHN-76369

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2014-08575

AFFECTED PRODUCTS

vendor:	arris	model:	vap2500	scope:	lte	version:	08.41	Trust: 1.0
vendor:	arris group	model:	vap2500	scope:	lt	version:	fw08.41	Trust: 0.8
vendor:	arris	model:	vap2500	scope:	-	version:	-	Trust: 0.7
vendor:	arris group	model:	vap2500	scope:	-	version:	-	Trust: 0.6
vendor:	arris	model:	vap2500	scope:	eq	version:	08.41	Trust: 0.6
vendor:	arris	model:	vap2500	scope:	eq	version:	0	Trust: 0.3

sources: ZDI: ZDI-14-388 // CNVD: CNVD-2014-08575 // BID: 71297 // JVNDB: JVNDB-2014-005686 // CNNVD: CNNVD-201411-517 // NVD: CVE-2014-8424

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-8424
value:	HIGH
Trust: 1.0
NVD:	CVE-2014-8424
value:	HIGH
Trust: 0.8
ZDI:	CVE-2014-8424
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2014-08575
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201411-517
value:	HIGH
Trust: 0.6
VULHUB:	VHN-76369
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2014-8424
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.5
CNVD:	CNVD-2014-08575
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-76369
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZDI: ZDI-14-388 // CNVD: CNVD-2014-08575 // VULHUB: VHN-76369 // JVNDB: JVNDB-2014-005686 // CNNVD: CNNVD-201411-517 // NVD: CVE-2014-8424

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-76369 // JVNDB: JVNDB-2014-005686 // NVD: CVE-2014-8424

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-517

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-201411-517

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005686

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-76369

PATCH

title:	Top Page	url:	http://www.arrisi.com/products/product.asp?id=5017	Trust: 0.8
title:	Arris VAP2500 authentication bypass vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/52266	Trust: 0.6

sources: CNVD: CNVD-2014-08575 // JVNDB: JVNDB-2014-005686

EXTERNAL IDS

db:	NVD	id:	CVE-2014-8424	Trust: 4.1
db:	ZDI	id:	ZDI-14-388	Trust: 3.5
db:	BID	id:	71297	Trust: 1.6
db:	JVNDB	id:	JVNDB-2014-005686	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2136	Trust: 0.7
db:	CNNVD	id:	CNNVD-201411-517	Trust: 0.7
db:	CNVD	id:	CNVD-2014-08575	Trust: 0.6
db:	EXPLOIT-DB	id:	35372	Trust: 0.1
db:	VULHUB	id:	VHN-76369	Trust: 0.1

sources: ZDI: ZDI-14-388 // CNVD: CNVD-2014-08575 // VULHUB: VHN-76369 // BID: 71297 // JVNDB: JVNDB-2014-005686 // CNNVD: CNNVD-201411-517 // NVD: CVE-2014-8424

REFERENCES

url:	http://www.zerodayinitiative.com/advisories/zdi-14-388/	Trust: 2.8
url:	http://www.securityfocus.com/bid/71297	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8424	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8424	Trust: 0.8
url:	http://www.arrisi.com/products/product.asp?id=5017	Trust: 0.3

sources: CNVD: CNVD-2014-08575 // VULHUB: VHN-76369 // BID: 71297 // JVNDB: JVNDB-2014-005686 // CNNVD: CNNVD-201411-517 // NVD: CVE-2014-8424

CREDITS

Ricky "HeadlessZeke" Lawshae

Trust: 1.6

sources: ZDI: ZDI-14-388 // BID: 71297 // CNNVD: CNNVD-201411-517

SOURCES

db:	ZDI	id:	ZDI-14-388
db:	CNVD	id:	CNVD-2014-08575
db:	VULHUB	id:	VHN-76369
db:	BID	id:	71297
db:	JVNDB	id:	JVNDB-2014-005686
db:	CNNVD	id:	CNNVD-201411-517
db:	NVD	id:	CVE-2014-8424

LAST UPDATE DATE

2025-04-12T23:16:58.738000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-14-388	date:	2014-11-25T00:00:00
db:	CNVD	id:	CNVD-2014-08575	date:	2014-11-28T00:00:00
db:	VULHUB	id:	VHN-76369	date:	2014-11-28T00:00:00
db:	BID	id:	71297	date:	2014-11-25T00:00:00
db:	JVNDB	id:	JVNDB-2014-005686	date:	2014-12-01T00:00:00
db:	CNNVD	id:	CNNVD-201411-517	date:	2014-12-02T00:00:00
db:	NVD	id:	CVE-2014-8424	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-14-388	date:	2014-11-25T00:00:00
db:	CNVD	id:	CNVD-2014-08575	date:	2014-11-28T00:00:00
db:	VULHUB	id:	VHN-76369	date:	2014-11-28T00:00:00
db:	BID	id:	71297	date:	2014-11-25T00:00:00
db:	JVNDB	id:	JVNDB-2014-005686	date:	2014-12-01T00:00:00
db:	CNNVD	id:	CNNVD-201411-517	date:	2014-11-27T00:00:00
db:	NVD	id:	CVE-2014-8424	date:	2014-11-28T15:59:04.433