CVE-2014-0104
published 2020-01-02CVE-2014-0104: In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle…
PriorityP427medium5.9CVSS 3.1
AVNACHPRNUINSUCNIHAN
EPSS
0.83%
53.1th percentile
In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clusterlabs | fence-agents | < 4.0.17 | 4.0.17 |
| debian | fence-agents | < fence-agents 4.0.17-1 (bookworm) | fence-agents 4.0.17-1 (bookworm) |
| fence-agents | fence-agents | — | — |
| fence-agents | fence-agents | >= 0 < 4.0.17-1 | 4.0.17-1 |
| fence-agents | fence-agents | >= 0 < 4.0.17-1 | 4.0.17-1 |
| fence-agents | fence-agents | >= 0 < 4.0.17-1 | 4.0.17-1 |
| fence-agents | fence-agents | >= 0 < 4.0.17-1 | 4.0.17-1 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv5.9MEDIUM
vendor_debian5.9LOW
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c77j-gxmx-7mxq: In fence-agents before 4
ghsa_unreviewed·2022-05-17
CVE-2014-0104 [MEDIUM] GHSA-c77j-gxmx-7mxq: In fence-agents before 4
In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates.
OSV
CVE-2014-0104: In fence-agents before 4
osv·2020-01-02·CVSS 5.9
CVE-2014-0104 [MEDIUM] CVE-2014-0104: In fence-agents before 4
In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates.
Red Hat
fence-agents: no verification of remote SSL certificates
vendor_redhat·2014-10-10·CVSS 5.9
CVE-2014-0104 [MEDIUM] fence-agents: no verification of remote SSL certificates
fence-agents: no verification of remote SSL certificates
In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates.
Package: fence-agents (Red Hat Enterprise Linux 6) - Will not fix
Package: fence-agents (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2014-0104: fence-agents - In fence-agents before 4.0.17 does not verify remote SSL certificates in the fen...
vendor_debian·2014·CVSS 5.9
CVE-2014-0104 [MEDIUM] CVE-2014-0104: fence-agents - In fence-agents before 4.0.17 does not verify remote SSL certificates in the fen...
In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates.
Scope: local
bookworm: resolved (fixed in 4.0.17-1)
bullseye: resolved (fixed in 4.0.17-1)
forky: resolved (fixed in 4.0.17-1)
sid: resolved (fixed in 4.0.17-1)
trixie: resolved (fixed in 4.0.17-1)
No detection rules found.
Bugzilla
CVE-2014-0104 fence-agents: no verification of remote SSL certificates [fedora-all]
bugzilla·2014-10-10·CVSS 5.9
CVE-2014-0104 [MEDIUM] CVE-2014-0104 fence-agents: no verification of remote SSL certificates [fedora-all]
CVE-2014-0104 fence-agents: no verification of remote SSL certificates [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versio
Bugzilla
CVE-2014-0104 fence-agents: no verification of remote SSL certificates
bugzilla·2014-02-28·CVSS 5.9
CVE-2014-0104 [MEDIUM] CVE-2014-0104 fence-agents: no verification of remote SSL certificates
CVE-2014-0104 fence-agents: no verification of remote SSL certificates
Michael Samuel reported that fence-agents does not verify remote SSL certificates in the fence_cisco_ucs.py script. This could potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary, yet valid, SSL certificates.
This script did verify the validity of SSL certificates by default, but this behaviour was changed due to bug #691392, which introduced this behaviour via RHBA-2011:0834 [1].
* The fence_cisco_ucs script no longer checks the validity of SSL certificates by default. (BZ#691392)
Also note that this behaviour appears in the fence_rhevm.py script as well.
[1] http://rhn.redhat.com/errata/RHBA-2011-0834.html
Discussion:
Michael suggested the following as a potential idea of how t
https://access.redhat.com/security/cve/cve-2014-0104https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0104https://bugzilla.suse.com/show_bug.cgi?id=CVE-2014-0104https://security-tracker.debian.org/tracker/CVE-2014-0104https://access.redhat.com/security/cve/cve-2014-0104https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0104https://bugzilla.suse.com/show_bug.cgi?id=CVE-2014-0104https://security-tracker.debian.org/tracker/CVE-2014-0104
2020-01-02
Published