CVE-2013-5511

EUVD-2013-5351

13.10.2013, 10:20

The Adaptive Security Device Management (ASDM) remote-management feature in Cisco Adaptive Security Appliance (ASA) Software 8.2.x before 8.2(5.46), 8.3.x before 8.3(2.39), 8.4.x before 8.4(6), 8.5.x before 8.5(1.18), 8.6.x before 8.6(1.12), 8.7.x before 8.7(1.7), 9.0.x before 9.0(3.1), and 9.1.x before 9.1(2.6) does not properly implement the authentication-certificate option, which allows remote attackers to bypass authentication via a TCP session to an ASDM interface, aka Bug ID CSCuh44815.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	10 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:C/I:C/A:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 81%

Affected Products (NVD)

Vendor	Product	Version
cisco	adaptive_security_appliance_software	8.2
cisco	adaptive_security_appliance_software	8.2\(1\)
cisco	adaptive_security_appliance_software	8.2\(2\)
cisco	adaptive_security_appliance_software	8.2\(3\)
cisco	adaptive_security_appliance_software	8.2\(3.9\)
cisco	adaptive_security_appliance_software	8.2\(4\)
cisco	adaptive_security_appliance_software	8.2\(4.1\)
cisco	adaptive_security_appliance_software	8.2\(4.4\)
cisco	adaptive_security_appliance_software	8.2\(5\)
cisco	adaptive_security_appliance_software	8.2\(5.35\)
cisco	adaptive_security_appliance_software	8.2\(5.38\)
cisco	adaptive_security_appliance_software	8.2.1
cisco	adaptive_security_appliance_software	8.2.2
cisco	adaptive_security_appliance_software	8.2.2:interim
cisco	adaptive_security_appliance_software	8.2.3
cisco	adaptive_security_appliance_software	8.3\(1\)
cisco	adaptive_security_appliance_software	8.3\(2\)
cisco	adaptive_security_appliance_software	8.3\(2.34\)
cisco	adaptive_security_appliance_software	8.3\(2.37\)
cisco	adaptive_security_appliance_software	8.3.1
cisco	adaptive_security_appliance_software	8.3.1:interim
cisco	adaptive_security_appliance_software	8.3.2
cisco	adaptive_security_appliance_software	8.4
cisco	adaptive_security_appliance_software	8.4\(1\)
cisco	adaptive_security_appliance_software	8.4\(1.11\)
cisco	adaptive_security_appliance_software	8.4\(2\)
cisco	adaptive_security_appliance_software	8.4\(2.11\)
cisco	adaptive_security_appliance_software	8.4\(3\)
cisco	adaptive_security_appliance_software	8.4\(4.11\)
cisco	adaptive_security_appliance_software	8.4\(5\)
cisco	adaptive_security_appliance_software	8.5
cisco	adaptive_security_appliance_software	8.5\(1\)
cisco	adaptive_security_appliance_software	8.5\(1.4\)
cisco	adaptive_security_appliance_software	8.5\(1.17\)
cisco	adaptive_security_appliance_software	8.6
cisco	adaptive_security_appliance_software	8.6\(1\)
cisco	adaptive_security_appliance_software	8.6\(1.3\)
cisco	adaptive_security_appliance_software	8.6\(1.10\)
cisco	adaptive_security_appliance_software	8.7\(1.3\)
cisco	adaptive_security_appliance_software	8.7.1
cisco	adaptive_security_appliance_software	8.7.1.1
cisco	adaptive_security_appliance_software	9.0
cisco	adaptive_security_appliance_software	9.1
cisco	adaptive_security_appliance_software	9.1\(1.7\)

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5511

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa

http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5511