CVE-2014-8421

12.04.2018, 21:29

Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allow remote attackers to gain super-user privileges by leveraging SSH access and incorrect ownership of (1) ConfigureCoreFile.sh, (2) Traceroute.sh, (3) apps.sh, (4) conversion_java2native.sh, (5) coreCompression.sh, (6) deletePasswd.sh, (7) findHealthSvcFDs.sh, (8) fw_printenv.sh, (9) fw_setenv.sh, (10) hw_wd_kicker.sh, (11) new_rootfs.sh, (12) opera_killSnmpd.sh, (13) opera_startSnmpd.sh, (14) rebootOperaSoftware.sh, (15) removeLogFiles.sh, (16) runOperaServices.sh, (17) setPasswd.sh, (18) startAccTestSvcs.sh, (19) usbNotification.sh, or (20) appWeb in /Opera_Deploy.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 74%

Vendor	Product	Version
unify	openstage_sip	𝑥 < r3.32.0
unify	openscape_desk_phone_ip_sip	𝑥 < r3.32.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-264 -

References

https://networks.unify.com/security/advisories/OBSO-1501-02.pdf

https://www.modzero.ch/advisories/MZ-14-02-Siemens-Unify-OpenStage.txt

https://networks.unify.com/security/advisories/OBSO-1501-02.pdf

https://www.modzero.ch/advisories/MZ-14-02-Siemens-Unify-OpenStage.txt