Sign-up

ID

VAR-201601-0613


CVE

CVE-2014-8886


TITLE

AVM FRITZ!OS Vulnerable to creating a symbolic link

Trust: 0.8

sources: JVNDB: JVNDB-2014-008154

DESCRIPTION

AVM FRITZ!OS before 6.30 extracts the contents of firmware updates before verifying their cryptographic signature, which allows remote attackers to create symlinks or overwrite critical files, and consequently execute arbitrary code, via a crafted firmware image. AVM FRITZ!OS is prone to a remote code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. AVM FRITZ!OS versions prior to 6.30 are vulnerable

Trust: 1.89

sources: NVD: CVE-2014-8886 // JVNDB: JVNDB-2014-008154 // BID: 85704

AFFECTED PRODUCTS

vendor:avmmodel:fritz\! osscope:lteversion:6.23

Trust: 1.0

vendor:avmmodel:fritz!boxscope:ltversion:6.30

Trust: 0.8

vendor:avmmodel:fritz\! osscope:eqversion:6.23

Trust: 0.6

sources: JVNDB: JVNDB-2014-008154 // CNNVD: CNNVD-201601-143 // NVD: CVE-2014-8886

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8886
value: HIGH

Trust: 1.0

NVD: CVE-2014-8886
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201601-143
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2014-8886
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2014-8886
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.2
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: JVNDB: JVNDB-2014-008154 // CNNVD: CNNVD-201601-143 // NVD: CVE-2014-8886

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.8

sources: JVNDB: JVNDB-2014-008154 // NVD: CVE-2014-8886

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201601-143

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201601-143

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-008154

PATCH
title:Sicherheitsinfos zu Updatesurl:https://avm.de/service/sicherheitsinfos-zu-updates/
Trust: 0.8
title:AVM FRITZ!OS Fixes for encryption problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59497
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2014-008154 // 
            
            
            
            CNNVD: CNNVD-201601-143

EXTERNAL IDS
db:NVDid:CVE-2014-8886
Trust: 2.7
db:PACKETSTORMid:135161
Trust: 1.0
db:JVNDBid:JVNDB-2014-008154
Trust: 0.8
db:CNNVDid:CNNVD-201601-143
Trust: 0.6
db:BIDid:85704
Trust: 0.3
sources:
            
            
            BID: 85704 // 
            
            
            
            JVNDB: JVNDB-2014-008154 // 
            
            
            
            CNNVD: CNNVD-201601-143 // 
            
            
            
            NVD: CVE-2014-8886

REFERENCES
url:https://www.redteam-pentesting.de/advisories/rt-sa-2014-014
Trust: 1.6
url:https://avm.de/service/sicherheitsinfos-zu-updates/
Trust: 1.6
url:http://seclists.org/fulldisclosure/2016/jan/12
Trust: 1.6
url:http://packetstormsecurity.com/files/135161/avm-fritz-box-arbitrary-code-execution-via-firmware-images.html
Trust: 1.0
url:http://www.securityfocus.com/archive/1/537246/100/0/threaded
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8886
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-8886
Trust: 0.8
url:https://www.redteam-pentesting.de/en/advisories/rt-sa-2014-014/-avm-fritz-box-arbitrary-code-execution-through-manipulated-firmware-images
Trust: 0.8
url:http://www.securityfocus.com/archive/1/archive/1/537246/100/0/threaded
Trust: 0.6
url:http://www.avm.de/en/
Trust: 0.3
sources:
            
            
            BID: 85704 // 
            
            
            
            JVNDB: JVNDB-2014-008154 // 
            
            
            
            CNNVD: CNNVD-201601-143 // 
            
            
            
            NVD: CVE-2014-8886

CREDITS
RedTeam Pentesting GmbH.
Trust: 0.3
sources:
            
            
            BID: 85704

SOURCES
db:BIDid:85704
db:JVNDBid:JVNDB-2014-008154
db:CNNVDid:CNNVD-201601-143
db:NVDid:CVE-2014-8886

LAST UPDATE DATE
2025-04-13T23:39:01.105000+00:00

SOURCES UPDATE DATE
db:BIDid:85704date:2016-01-08T00:00:00
db:JVNDBid:JVNDB-2014-008154date:2016-01-14T00:00:00
db:CNNVDid:CNNVD-201601-143date:2016-01-15T00:00:00
db:NVDid:CVE-2014-8886date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:BIDid:85704date:2016-01-08T00:00:00
db:JVNDBid:JVNDB-2014-008154date:2016-01-14T00:00:00
db:CNNVDid:CNNVD-201601-143date:2016-01-11T00:00:00
db:NVDid:CVE-2014-8886date:2016-01-08T20:59:00.123