Vulnerability CVE-2008-3814 - CERT Civis.Net

Vulnerability Name:

CVE-2008-3814 (CCN-45741)

Assigned:

2008-10-08

Published:

2008-10-08

Updated:

2017-08-08

Summary:

Unspecified vulnerability in Cisco Unity 4.x before 4.2(1)ES161, 5.x before 5.0(1)ES53, and 7.x before 7.0(2)ES8, when using anonymous authentication (aka native Unity authentication), allows remote attackers to bypass authentication and read or modify system configuration parameters by going to a specific link more than once.

CVSS v3 Severity:

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
4.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

5.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
4.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2008-3814

Source: CCN
Type: SA32187
Cisco Unity Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
32187

Source: CCN
Type: SECTRACK ID: 1021011
Cisco Unity Authentication Bypass Bug Lets Remote Users View and Modify the Configuration

Source: CISCO
Type: Patch, Vendor Advisory
20081008 Authentication Bypass in Cisco Unity

Source: CISCO
Type: Patch, Vendor Advisory
20081008 VoIPshield Reported Vulnerabilities in Cisco Unity Server

Source: CCN
Type: cisco-sa-20081008-unity
Cisco Security Advisory: Authentication Bypass in Cisco Unity

Source: CCN
Type: OSVDB ID: 49063
Cisco Unity Authentication Bypass Configuration Modification

Source: BID
Type: UNKNOWN
31638

Source: CCN
Type: BID-31638
Cisco Unity Remote Administration Authentication Bypass Vulnerability

Source: BID
Type: UNKNOWN
31642

Source: CCN
Type: BID-31642
Cisco Unity 7.0 Multiple Remote Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1021011

Source: CCN
Type: VoIP Security Advisory, 2008-10-08
Cisco Unity Authentication Bypass

Source: MISC
Type: UNKNOWN
http://www.voipshield.com/research-details.php?id=126

Source: VUPEN
Type: Vendor Advisory
ADV-2008-2771

Source: XF
Type: UNKNOWN
unityserver-anonymous-authentication-bypass(45741)

Source: XF
Type: UNKNOWN
unityserver-anonymous-authentication-bypass(45741)

Vulnerable Configuration:

Configuration 1:

cpe:/a:cisco:unity:4.0:*:*:*:*:*:*:*

OR cpe:/a:cisco:unity:4.0(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unity:4.0(2):*:*:*:*:*:*:*

OR cpe:/a:cisco:unity:4.0(3):*:*:*:*:*:*:*

OR cpe:/a:cisco:unity:4.0(3):sr1:*:*:*:*:*:*

OR cpe:/a:cisco:unity:4.0(4):*:*:*:*:*:*:*

OR cpe:/a:cisco:unity:4.0(4):sr1:*:*:*:*:*:*

OR cpe:/a:cisco:unity:4.0(5):*:*:*:*:*:*:*

OR cpe:/a:cisco:unity:4.1(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unity:4.2(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unity:5.0:*:*:*:*:*:*:*

OR cpe:/a:cisco:unity:5.0(1):*:*:*:*:*:*:*

OR cpe:/a:cisco:unity:7.0:*:*:*:*:*:*:*

OR cpe:/a:cisco:unity:7.0(2):*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/h:cisco:unity_server:4.0:*:*:*:*:*:*:*

Denotes that component is vulnerable