Vulnerability CVE-2014-6102 - CERT Civis.Net

Vulnerability Name:

CVE-2014-6102 (CCN-96141)

Assigned:

2014-09-02

Published:

2015-01-28

Updated:

2017-09-08

Summary:

IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5.0 before 7.5.0.6 IFIX008, Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products do not properly handle logout actions, which allows remote attackers to bypass intended Cognos BI Direct Integration access restrictions by leveraging an unattended workstation.
Per an <a href="http://www-01.ibm.com/support/docview.wss?uid=swg21695597">IBM Security Bulletin</a> IBM identifies access vector as local

CVSS v3 Severity:

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2014-6102

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21695597

Source: CCN
Type: IBM Security Bulletin 1695597
COGNOS DIRECT INTEGRATION ACCESS REMAINS OPEN AFTER CLOSING MAXIMO SESSION (CVE-2014-6102)

Source: XF
Type: UNKNOWN
ibm-maximo-cve20146102-sec-bypass(96141)

Source: XF
Type: UNKNOWN
ibm-maximo-cve20146102-sec-bypass(96141)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:change_and_configuration_management_database:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:change_and_configuration_management_database:7.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1.10:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1.12:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.1.13:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.5.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.5.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.5.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.5.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.5.0.10:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management_essentials:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management_essentials:7.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_government:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_government:7.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_life_sciences:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_life_sciences:7.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_nuclear_power:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_nuclear_power:7.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_oil_and_gas:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_oil_and_gas:7.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_transportation:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_transportation:7.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_utilities:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_for_utilities:7.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_control_desk:7.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_control_desk:7.5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_control_desk:7.5.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_control_desk:7.5.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_control_desk:7.5.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_control_desk:7.5.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_asset_management_for_it:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_asset_management_for_it:7.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_service_request_manager:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_service_request_manager:7.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.5:*:*:*:*:*:*:*

Denotes that component is vulnerable