Lucene search

CiscoCISCO-SA-20141010-CVE-2014-3403

HistoryOct 10, 2014 - 8:53 p.m.

Cisco IOS XE Software Autonomic Networking Infrastructure Certificate Validation Vulnerability

2014-10-1020:53:25

tools.cisco.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS

0.001

Percentile

49.4%

JSON

A vulnerability in certificate validation for Autonomic Networking Infrastructure (ANI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to masquerade as another device.

The vulnerability is due to incomplete certificate validation. An attacker could exploit this vulnerability by sending crafted messages to the ANI device.

Cisco has confirmed the vulnerability in a security notice; however, software updates are not available.

To exploit this vulnerability, an attacker may need access to trusted, internal networks in which the targeted system may reside, in order to send crafted messages to the device. This access requirement may reduce the likelihood of a successful exploit.

Affected configurations

Vulners

Node

ciscocisco_iosMatch3.13sxe

ciscocisco_iosMatch3.13.0sxe

VendorProductVersionCPE
ciscocisco_ios3.13scpe:2.3:o:cisco:cisco_ios:3.13s:xe:*:*:*:*:*:*
ciscocisco_ios3.13.0scpe:2.3:o:cisco:cisco_ios:3.13.0s:xe:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	cisco_ios	3.13s	cpe:2.3:o:cisco:cisco_ios:3.13s:xe::::::
cisco	cisco_ios	3.13.0s	cpe:2.3:o:cisco:cisco_ios:3.13.0s:xe::::::

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20141010-CVE-2014-3403

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS

0.001

Percentile

49.4%

JSON

Related for CISCO-SA-20141010-CVE-2014-3403