CVE-2014-3389
First published: Fri Oct 10 2014(Updated: )
The VPN implementation in Cisco ASA Software 7.2 before 7.2(5.15), 8.2 before 8.2(5.51), 8.3 before 8.3(2.42), 8.4 before 8.4(7.23), 8.6 before 8.6(1.15), 9.0 before 9.0(4.24), 9.1 before 9.1(5.12), 9.2 before 9.2(2.6), and 9.3 before 9.3(1.1) does not properly implement a tunnel filter, which allows remote authenticated users to obtain failover-unit access via crafted packets, aka Bug ID CSCuq28582.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco ASA Software | =7.2.5 | |
| Cisco ASA Software | =7.2.5.10 | |
| Cisco ASA Software | =8.2.5 | |
| Cisco ASA Software | =8.2.5.13 | |
| Cisco ASA Software | =8.2.5.22 | |
| Cisco ASA Software | =8.2.5.26 | |
| Cisco ASA Software | =8.2.5.33 | |
| Cisco ASA Software | =8.2.5.41 | |
| Cisco ASA Software | =8.2.5.46 | |
| Cisco ASA Software | =8.2.5.48 | |
| Cisco ASA Software | =8.2.5.49 | |
| Cisco ASA Software | =8.3 | |
| Cisco ASA Software | =8.3.2.25 | |
| Cisco ASA Software | =8.4 | |
| Cisco ASA Software | =8.4.1 | |
| Cisco ASA Software | =8.4.2 | |
| Cisco ASA Software | =8.4.3 | |
| Cisco ASA Software | =8.4.4 | |
| Cisco ASA Software | =8.4.5 | |
| Cisco ASA Software | =8.4.6 | |
| Cisco ASA Software | =8.4.7 | |
| Cisco ASA Software | =8.6 | |
| Cisco ASA Software | =9.0 | |
| Cisco ASA Software | =9.1 | |
| Cisco ASA Software | =9.2 | |
| Cisco ASA Software | =9.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2014-3389?
CVE-2014-3389 has a CVSS base score of 7.5, indicating it is a high severity vulnerability.
How do I fix CVE-2014-3389?
To fix CVE-2014-3389, upgrade your Cisco ASA Software to the latest available version that is not affected by this vulnerability.
What types of attacks can exploit CVE-2014-3389?
CVE-2014-3389 can be exploited to bypass tunnel filters, potentially allowing unauthorized access to sensitive networks.
Which Cisco ASA software versions are affected by CVE-2014-3389?
Affected versions of Cisco ASA Software include 7.2 prior to 7.2(5.15), 8.2 prior to 8.2(5.51), and several versions in the 8.3, 8.4, 8.6, 9.0, 9.1, 9.2, and 9.3 series before specified updates.
Is CVE-2014-3389 related to VPN security?
Yes, CVE-2014-3389 specifically involves a vulnerability in the VPN implementation of multiple versions of Cisco ASA software.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/severity
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cisco
- canonical/cisco asa software
- version/cisco asa software/7.2.5
- version/cisco asa software/7.2.5.10
- version/cisco asa software/8.2.5
- version/cisco asa software/8.2.5.13
- version/cisco asa software/8.2.5.22
- version/cisco asa software/8.2.5.26
- version/cisco asa software/8.2.5.33
- version/cisco asa software/8.2.5.41
- version/cisco asa software/8.2.5.46
- version/cisco asa software/8.2.5.48
- version/cisco asa software/8.2.5.49
- version/cisco asa software/8.3
- version/cisco asa software/8.3.2.25
- version/cisco asa software/8.4
- version/cisco asa software/8.4.1
- version/cisco asa software/8.4.2
- version/cisco asa software/8.4.3
- version/cisco asa software/8.4.4
- version/cisco asa software/8.4.5
- version/cisco asa software/8.4.6
- version/cisco asa software/8.4.7
- version/cisco asa software/8.6
- version/cisco asa software/9.0
- version/cisco asa software/9.1
- version/cisco asa software/9.2
- version/cisco asa software/9.3