Vulnerability Details : CVE-2014-9754
The hardware VPN client in Viprinet MultichannelVPN Router 300 version 2013070830/2013080900 does not validate the remote VPN endpoint identity (through the checking of the endpoint's SSL key) before initiating the exchange, which allows an attacker to perform a Man in the Middle attack.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2014-9754
Probability of exploitation activity in the next 30 days: 0.11%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 43 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-9754
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
|
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2014-9754
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-9754
-
http://packetstormsecurity.com/files/135614/Viprinet-Multichannel-VPN-Router-300-Identity-Verification-Fail.html
Viprinet Multichannel VPN Router 300 Identity Verification Fail ≈ Packet StormThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/archive/1/537441/100/0/threaded
SecurityFocus
-
http://seclists.org/fulldisclosure/2016/Feb/8
Full Disclosure: Security AdvisoriesMailing List;Third Party Advisory
Products affected by CVE-2014-9754
- cpe:2.3:o:viprinet:multichannel_vpn_router_300_firmware:2013080900:*:*:*:*:*:*:*
- cpe:2.3:o:viprinet:multichannel_vpn_router_300_firmware:2013070830:*:*:*:*:*:*:*