CVE-2014-8371 - VMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before Update 3, and 5.0 before Upda

CVE-2014-8371

Summary

VMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before Update 3, and 5.0 before Update 3c does not properly validate certificates when connecting to a CIM Server on an ESXi host, which allows man-in-the-middle attackers to spoof CIM servers via a crafted certificate.

References

Vulnerable Configurations

cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_1:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_1:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_2:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_2:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_3:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_3:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_3a:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.0:update_3a:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.1:*:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.1:*:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.1:update_1:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.1:update_1:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.1:update_2:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.1:update_2:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.5:*:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.5:*:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.5:update_1:*:*:*:*:*:*
cpe:2.3:a:vmware:vcenter_server_appliance:5.5:update_1:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 09-10-2018 - 19:53)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:P/A:N

refmap via4

bugtraq	20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
confirm	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
fulldisc	20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

Last major update

09-10-2018 - 19:53

Published

08-12-2014 - 11:59

Last modified

09-10-2018 - 19:53