CVE-2012-4073 - Vulnerability Details - OpenCVE

Description

The KVM subsystem in the client in Cisco Unified Computing System (UCS) does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers, and read or modify KVM data, via a crafted certificate, aka Bug ID CSCte90332.

Published: 2013-09-20

Score: 5.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:h:cisco:unified_computing_system:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2012-4017	The KVM subsystem in the client in Cisco Unified Computing System (UCS) does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers, and read or modify KVM data, via a crafted certificate, aka Bug ID CSCte90332.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00176.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4073
http://www.securitytracker.com/id/1029068

History

No history.

Subscriptions

Cisco Unified Computing System

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2013-09-20T16:00:00.000Z

Updated: 2024-08-06T20:28:06.916Z

Reserved: 2012-07-31T00:00:00.000Z

Link: CVE-2012-4073

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2013-09-20T16:55:07.690

Modified: 2025-04-11T00:51:21.963

Link: CVE-2012-4073

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-310

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-09-17T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The KVM subsystem in the client in Cisco Unified Computing System (UCS) does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers, and read or modify KVM data, via a crafted certificate, aka Bug ID CSCte90332."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-10-24T09:00:00.000Z", "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco"}, "references": [{"name": "1029068", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1029068"}, {"name": "20130917 Cisco Unified Computing System Software KVM Client Certificate Validation Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO"], "url": "http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4073"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@cisco.com", "ID": "CVE-2012-4073", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The KVM subsystem in the client in Cisco Unified Computing System (UCS) does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers, and read or modify KVM data, via a crafted certificate, aka Bug ID CSCte90332."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1029068", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1029068"}, {"name": "20130917 Cisco Unified Computing System Software KVM Client Certificate Validation Vulnerability", "refsource": "CISCO", "url": "http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4073"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T20:28:06.916Z"}, "title": "CVE Program Container", "references": [{"name": "1029068", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1029068"}, {"name": "20130917 Cisco Unified Computing System Software KVM Client Certificate Validation Vulnerability", "tags": ["vendor-advisory", "x_refsource_CISCO", "x_transferred"], "url": "http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4073"}]}]}, "cveMetadata": {"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "assignerShortName": "cisco", "cveId": "CVE-2012-4073", "datePublished": "2013-09-20T16:00:00.000Z", "dateReserved": "2012-07-31T00:00:00.000Z", "dateUpdated": "2024-08-06T20:28:06.916Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:cisco:unified_computing_system:-:*:*:*:*:*:*:*", "matchCriteriaId": "301FBC67-7946-479D-ACC5-D54CBD698291", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The KVM subsystem in the client in Cisco Unified Computing System (UCS) does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers, and read or modify KVM data, via a crafted certificate, aka Bug ID CSCte90332."}, {"lang": "es", "value": "El subsistema KVM (en el cliente) de Cisco Unified Computing System (UCS) no verifica apropiadamente los certificados X.509 desde servidores SSL, lo que permite a atacantes man-in-the-middle falsear servidores, y leer o modificar datos del KVM, a trav\u00e9s de certificados manipulados. Tambien conocido como Bug ID CSCte90332."}], "id": "CVE-2012-4073", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-09-20T16:55:07.690", "references": [{"source": "psirt@cisco.com", "tags": ["Vendor Advisory"], "url": "http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4073"}, {"source": "psirt@cisco.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1029068"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4073"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1029068"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}