ID CVE-2014-8371
Summary VMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before Update 3, and 5.0 before Update 3c does not properly validate certificates when connecting to a CIM Server on an ESXi host, which allows man-in-the-middle attackers to spoof CIM servers via a crafted certificate.
References
Vulnerable Configurations
  • cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_1:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_1:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_2:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_2:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_3:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_3:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_3a:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_3a:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server_appliance:5.1:*:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server_appliance:5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server_appliance:5.1:update_1:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server_appliance:5.1:update_1:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server_appliance:5.1:update_2:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server_appliance:5.1:update_2:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server_appliance:5.5:*:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server_appliance:5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:vmware:vcenter_server_appliance:5.5:update_1:*:*:*:*:*:*
    cpe:2.3:a:vmware:vcenter_server_appliance:5.5:update_1:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 09-10-2018 - 19:53)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
refmap via4
bugtraq 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
confirm http://www.vmware.com/security/advisories/VMSA-2014-0012.html
fulldisc 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
Last major update 09-10-2018 - 19:53
Published 08-12-2014 - 11:59
Back to Top