Vulnerability CVE-2014-0740 - CERT Civis.Net

Vulnerability Name:

CVE-2014-0740 (CCN-91428)

Assigned:

2014-02-25

Published:

2014-02-25

Updated:

2015-08-01

Summary:

Cross-site request forgery (CSRF) vulnerability in the Call Detail Records Analysis and Reporting (CAR) interface in the OS Administration component in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows remote attackers to hijack the authentication of administrators for requests that make administrative changes, aka Bug ID CSCun00701.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2014-0740

Source: CCN
Type: SA57143
Cisco Unified Communications Manager OS Administration Cross-Site Request Forgery Vulnerability

Source: CCN
Type: Cisco Security Notice
Cisco Unified Communications Manager OS Administration CSRF Vulnerability

Source: CISCO
Type: Vendor Advisory
20140225 Cisco Unified Communications Manager OS Administration CSRF Vulnerability

Source: CONFIRM
Type: Vendor Advisory
http://tools.cisco.com/security/center/viewAlert.x?alertId=33049

Source: CCN
Type: BID-65795
Cisco Unified Communications Manager CVE-2014-0740 Cross Site Request Forgery Vulnerability

Source: SECTRACK
Type: UNKNOWN
1029843

Source: XF
Type: UNKNOWN
cisco-ucm-cve20140740-csrf(91428)

Vulnerable Configuration:

Configuration 1:

cpe:/a:cisco:unified_communications_manager:3.3(5):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:3.3(5)sr1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:3.3(5)sr2a:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1(3):*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.1(3)sr4:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.3sr1:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.3sr2:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.2.3sr2b:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:4.3:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:10.0:*:*:*:*:*:*:*

OR cpe:/a:cisco:unified_communications_manager:*:*:*:*:*:*:*:* (Version <= 10.0(1))

Denotes that component is vulnerable