CVE-2014-8422

Published: Apr 12, 2018Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

The web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 generates session cookies with insufficient entropy, which makes it easier for remote attackers to hijack sessions via a brute-force attack.

Affected (2)

Products: Unify: Openstage Sip, Openscape Desk Phone Ip Sip

2 products

Openscape Desk Phone Ip Sip

Configuration A

1 vulnerable · 3 platform

Vulnerable Software	Affected Versions
Unify Openstage Sip	Before r3.32.0

Running on/with	Platform Versions
Unify Openstage 20	All versions
Unify Openstage 40	All versions
Unify Openstage 60	All versions

Configuration B

1 vulnerable · 3 platform

Vulnerable Software	Affected Versions
Unify Openscape Desk Phone Ip Sip	Before r3.32.0

Running on/with	Platform Versions
Atos Openscape Desk Phone Ip 35g	All versions
Atos Openscape Desk Phone Ip 35g Eco	All versions
Atos Openscape Desk Phone Ip 55g	All versions

Related CWEs

Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

References (4)

https://networks.unify.com/security/advisories/OBSO-1501-02.pdf

Source: cve@mitre.org

MitigationVendor Advisory

https://www.modzero.ch/advisories/MZ-14-02-Siemens-Unify-OpenStage.txt

Source: cve@mitre.org

Third Party Advisory

https://networks.unify.com/security/advisories/OBSO-1501-02.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

https://www.modzero.ch/advisories/MZ-14-02-Siemens-Unify-OpenStage.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.