Vulnerabilities > CVE-2014-8422 - Insufficient Entropy vulnerability in Unify Openscape Desk Phone IP SIP and Openstage SIP

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
unify
CWE-331
NVD
Published: 2018-04-12
Updated: 2021-09-09

Summary

The web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 generates session cookies with insufficient entropy, which makes it easier for remote attackers to hijack sessions via a brute-force attack.

Vulnerable Configurations

Part Description Count
Application
Unify
16
Hardware
Unify
3
Hardware
Atos
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

References