Vulnerability Name:

CVE-2014-2127 (CCN-92384)

Assigned:2014-04-09
Published:2014-04-09
Updated:2014-04-10
Summary:Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099.
CVSS v3 Severity:8.0 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:8.5 High (CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C)
6.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
8.5 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C)
6.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2014-2127

Source: CCN
Type: SA57820
Cisco Adaptive Security Appliance (ASA) Multiple Vulnerabilities

Source: CCN
Type: cisco-sa-20140409-asa
Multiple Vulnerabilities in Cisco ASA Software

Source: CISCO
Type: Vendor Advisory
20140409 Multiple Vulnerabilities in Cisco ASA Software

Source: CCN
Type: BID-66748
Cisco Adaptive Security Appliance SSL VPN Remote Privilege Escalation Vulnerability

Source: XF
Type: UNKNOWN
cisco-asa-cve20142127-priv-esc(92384)

Source: CCN
Type: TWSL2014-005
VPN Privilege Escalation Vulnerability in Cisco ASA

Vulnerable Configuration:Configuration 1:
  • cpe:/a:cisco:adaptive_security_appliance_software:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:adaptive_security_appliance_software:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:adaptive_security_appliance_software:8.2:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:adaptive_security_appliance_software:8.3(1):*:*:*:*:*:*:*
  • OR cpe:/a:cisco:adaptive_security_appliance_software:8.4:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:adaptive_security_appliance_software:8.6:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:adaptive_security_appliance_software:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:cisco:adaptive_security_appliance_software:9.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:cisco:adaptive_security_appliance:8.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    cisco adaptive security appliance software 8.0
    cisco adaptive security appliance software 8.1
    cisco adaptive security appliance software 8.2
    cisco adaptive security appliance software 8.3(1)
    cisco adaptive security appliance software 8.4
    cisco adaptive security appliance software 8.6
    cisco adaptive security appliance software 9.0
    cisco adaptive security appliance software 9.1
    cisco adaptive security appliance 8.2