Details of VAR-201605-0411

ID

VAR-201605-0411

CVE

CVE-2016-1404

TITLE

Cisco UCS Invicta Appliance and Invicta Operates on a scaling system Cisco UCS Invicta Vulnerabilities that can break cryptographic protection mechanisms

Trust: 0.8

sources: JVNDB: JVNDB-2016-002956

DESCRIPTION

Cisco UCS Invicta 4.3, 4.5, and 5.0.1 on Invicta appliances and Invicta Scaling System uses the same hardcoded GnuPG encryption key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by sniffing network traffic to an Autosupport server and leveraging knowledge of this key from another installation, aka Bug ID CSCur85504. Cisco UCS Invicta Software is prone to an information-disclosure vulnerability. An attacker can exploit this issue to perform man-in-the-middle attacks and obtain sensitive information. Successful exploits will lead to other attacks. This issue is being tracked by Cisco Bug ID CSCur85504

Trust: 1.98

sources: NVD: CVE-2016-1404 // JVNDB: JVNDB-2016-002956 // BID: 90839 // VULHUB: VHN-90223

AFFECTED PRODUCTS

vendor:	cisco	model:	ucs invicta c3124sa appliance	scope:	eq	version:	4.3.1	Trust: 1.6
vendor:	cisco	model:	ucs invicta c3124sa appliance	scope:	eq	version:	5.0.1	Trust: 1.6
vendor:	cisco	model:	ucs invicta c3124sa appliance	scope:	eq	version:	5.0_base	Trust: 1.6
vendor:	cisco	model:	ucs invicta c3124sa appliance	scope:	eq	version:	4.5_base	Trust: 1.6
vendor:	cisco	model:	ucs invicta c3124sa appliance	scope:	eq	version:	4.5.0	Trust: 1.6
vendor:	cisco	model:	ucs invicta c3124sa appliance	scope:	eq	version:	4.3_base	Trust: 1.6
vendor:	cisco	model:	ucs invicta c3124sa the appliance	scope:	eq	version:	4.3	Trust: 0.8
vendor:	cisco	model:	ucs invicta c3124sa the appliance	scope:	eq	version:	4.5	Trust: 0.8
vendor:	cisco	model:	ucs invicta c3124sa the appliance	scope:	eq	version:	5.0.1	Trust: 0.8

sources: JVNDB: JVNDB-2016-002956 // CNNVD: CNNVD-201605-590 // NVD: CVE-2016-1404

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1404
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-1404
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201605-590
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-90223
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-1404
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-90223
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-1404
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-90223 // JVNDB: JVNDB-2016-002956 // CNNVD: CNNVD-201605-590 // NVD: CVE-2016-1404

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-90223 // JVNDB: JVNDB-2016-002956 // NVD: CVE-2016-1404

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201605-590

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201605-590

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-002956

PATCH

title:

cisco-sa-20160524-ucs-inv

url:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160524-ucs-inv

Trust: 0.8

sources: JVNDB: JVNDB-2016-002956

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1404	Trust: 2.8
db:	SECTRACK	id:	1035957	Trust: 1.1
db:	JVNDB	id:	JVNDB-2016-002956	Trust: 0.8
db:	CNNVD	id:	CNNVD-201605-590	Trust: 0.7
db:	BID	id:	90839	Trust: 0.4
db:	VULHUB	id:	VHN-90223	Trust: 0.1

sources: VULHUB: VHN-90223 // BID: 90839 // JVNDB: JVNDB-2016-002956 // CNNVD: CNNVD-201605-590 // NVD: CVE-2016-1404

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160524-ucs-inv	Trust: 1.7
url:	http://www.securitytracker.com/id/1035957	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1404	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1404	Trust: 0.8
url:	http://www.cisco.com/	Trust: 0.3

sources: VULHUB: VHN-90223 // BID: 90839 // JVNDB: JVNDB-2016-002956 // CNNVD: CNNVD-201605-590 // NVD: CVE-2016-1404

CREDITS

Cisco

Trust: 0.3

sources: BID: 90839

SOURCES

db:	VULHUB	id:	VHN-90223
db:	BID	id:	90839
db:	JVNDB	id:	JVNDB-2016-002956
db:	CNNVD	id:	CNNVD-201605-590
db:	NVD	id:	CVE-2016-1404

LAST UPDATE DATE

2025-04-13T23:31:26.763000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-90223	date:	2016-12-01T00:00:00
db:	BID	id:	90839	date:	2016-05-24T00:00:00
db:	JVNDB	id:	JVNDB-2016-002956	date:	2016-06-01T00:00:00
db:	CNNVD	id:	CNNVD-201605-590	date:	2016-05-30T00:00:00
db:	NVD	id:	CVE-2016-1404	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-90223	date:	2016-05-29T00:00:00
db:	BID	id:	90839	date:	2016-05-24T00:00:00
db:	JVNDB	id:	JVNDB-2016-002956	date:	2016-06-01T00:00:00
db:	CNNVD	id:	CNNVD-201605-590	date:	2016-05-25T00:00:00
db:	NVD	id:	CVE-2016-1404	date:	2016-05-29T22:59:00.123