Vulnerability Name:

CVE-2014-4811 (CCN-95387)

Assigned:2014-08-28
Published:2014-08-28
Updated:2017-08-29
Summary:IBM Storwize 3500, 3700, 5000, and 7000 devices and SAN Volume Controller 6.x and 7.x before 7.2.0.8 allow remote attackers to reset the administrator superuser password to its default value via a direct request to the administrative IP address.
CVSS v3 Severity:10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-255
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2014-4811

Source: SECUNIA
Type: UNKNOWN
61075

Source: CCN
Type: IBM Security Bulletin S1004846
Administrator password can be reset without authentication on SAN Volume Controller and Storwize Family (CVE-2014-4811)

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=ssg1S1004846

Source: BID
Type: UNKNOWN
69771

Source: CCN
Type: BID-69771
IBM V7000 Unified CVE-2014-4811 Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
ibm-storwize-cve20144811-sec-bypass(95387)

Source: XF
Type: UNKNOWN
ibm-storwize-cve20144811-superuser(95387)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:ibm:san_volume_controller_firmware:6.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.1.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.1.0.10:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:san_volume_controller_firmware:6.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.2.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.2.0.6:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:san_volume_controller_firmware:6.3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.3.0.7:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:san_volume_controller_firmware:6.4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:6.4.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.2.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:san_volume_controller_software:7.2.0.7:*:*:*:*:*:*:*
  • OR cpe:/h:ibm:storwize_v3500:-:*:*:*:*:*:*:*
  • OR cpe:/h:ibm:storwize_v3700:-:*:*:*:*:*:*:*
  • OR cpe:/h:ibm:storwize_v5000:-:*:*:*:*:*:*:*
  • OR cpe:/h:ibm:storwize_v7000:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:storwize_v7000_software:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:6.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:6.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:6.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storwize_v7000_software:7.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm san volume controller software 6.1.0.0
    ibm san volume controller software 6.1.0.1
    ibm san volume controller software 6.1.0.2
    ibm san volume controller software 6.1.0.3
    ibm san volume controller software 6.1.0.4
    ibm san volume controller software 6.1.0.5
    ibm san volume controller software 6.1.0.6
    ibm san volume controller software 6.1.0.7
    ibm san volume controller software 6.1.0.8
    ibm san volume controller software 6.1.0.9
    ibm san volume controller software 6.1.0.10
    ibm san volume controller software 6.2.0.0
    ibm san volume controller software 6.2.0.1
    ibm san volume controller software 6.2.0.2
    ibm san volume controller software 6.2.0.3
    ibm san volume controller software 6.2.0.4
    ibm san volume controller software 6.2.0.5
    ibm san volume controller software 6.2.0.6
    ibm san volume controller software 6.3.0.0
    ibm san volume controller software 6.3.0.1
    ibm san volume controller software 6.3.0.2
    ibm san volume controller software 6.3.0.3
    ibm san volume controller software 6.3.0.4
    ibm san volume controller software 6.3.0.5
    ibm san volume controller software 6.3.0.6
    ibm san volume controller software 6.3.0.7
    ibm san volume controller software 6.4.0.0
    ibm san volume controller software 6.4.0.1
    ibm san volume controller software 6.4.0.2
    ibm san volume controller software 6.4.0.3
    ibm san volume controller software 6.4.0.4
    ibm san volume controller software 6.4.1.1
    ibm san volume controller software 6.4.1.2
    ibm san volume controller software 6.4.1.3
    ibm san volume controller software 6.4.1.4
    ibm san volume controller software 6.4.1.5
    ibm san volume controller software 6.4.1.6
    ibm san volume controller software 6.4.1.7
    ibm san volume controller software 6.4.1.8
    ibm san volume controller software 7.1.0.0
    ibm san volume controller software 7.1.0.1
    ibm san volume controller software 7.1.0.2
    ibm san volume controller software 7.1.0.3
    ibm san volume controller software 7.1.0.5
    ibm san volume controller software 7.1.0.6
    ibm san volume controller software 7.1.0.7
    ibm san volume controller software 7.2.0.0
    ibm san volume controller software 7.2.0.1
    ibm san volume controller software 7.2.0.2
    ibm san volume controller software 7.2.0.3
    ibm san volume controller software 7.2.0.4
    ibm san volume controller software 7.2.0.5
    ibm san volume controller software 7.2.0.6
    ibm san volume controller software 7.2.0.7
    ibm storwize v3500 -
    ibm storwize v3700 -
    ibm storwize v5000 -
    ibm storwize v7000 -
    ibm storwize v7000 software 6.1
    ibm storwize v7000 software 6.2
    ibm storwize v7000 software 6.3
    ibm storwize v7000 software 6.4
    ibm storwize v7000 software 7.1
    ibm storwize v7000 software 7.2