CVE-2014-8421 Information

Description

Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allow remote attackers to gain super-user privileges by leveraging SSH access and incorrect ownership of (1) ConfigureCoreFile.sh (2) Traceroute.sh (3) apps.sh (4) conversion_java2native.sh (5) coreCompression.sh (6) deletePasswd.sh (7) findHealthSvcFDs.sh (8) fw_printenv.sh (9) fw_setenv.sh (10) hw_wd_kicker.sh (11) new_rootfs.sh (12) opera_killSnmpd.sh (13) opera_startSnmpd.sh (14) rebootOperaSoftware.sh (15) removeLogFiles.sh (16) runOperaServices.sh (17) setPasswd.sh (18) startAccTestSvcs.sh (19) usbNotification.sh or (20) appWeb in /Opera_Deploy.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://networks.unify.com/security/advisories/OBSO-1501-02.pdf https://www.modzero.ch/advisories/MZ-14-02-Siemens-Unify-OpenStage.txt

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.5