Vulnerability Details : CVE-2014-4632
VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 and the proxy client in EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x do not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certificate.
Products affected by CVE-2014-4632
- cpe:2.3:a:vmware:vsphere_data_protection:5.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vsphere_data_protection:5.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vsphere_data_protection:5.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vsphere_data_protection:5.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vsphere_data_protection:5.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vsphere_data_protection:5.8.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-4632
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 27 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-4632
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2014-4632
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-4632
-
http://www.securitytracker.com/id/1031664
VMware vSphere Data Protection SSL Certificate Validation Flaw Lets Remote Users Conduct Man-in-the-Middle Attacks - SecurityTracker
-
http://www.vmware.com/security/advisories/VMSA-2015-0002.html
VMSA-2015-0002Vendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/100866
VMware vSphere Data Protection and the proxy client in EMC Avamar Data Store SSL security bypass CVE-2014-4632 Vulnerability Report
-
http://archives.neohapsis.com/archives/bugtraq/2015-01/0154.html
Jump to