CVE-2017-3218

Samsung Magician 5.0 fails to validate TLS certificates for HTTPS software update traffic. Prior to version 5.0, Samsung Magician uses HTTP for software updates.

CVSS v3 8.8 HIGH
CVSS v2.0 8.3 HIGH

8.8^/10

CVSS v3 : HIGH

Vector : AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

8.3^/10

CVSS v2.0 : HIGH

Vector : AV:A/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 6.5 / Impact : 10.0

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.securityfocus.com/bid/99081	Third Party Advisory VDB Entry
https://www.kb.cert.org/vuls/id/846320	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:samsung:magician:5.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-06-21 20:29

Updated : 2024-02-28 16:04

NVD link : CVE-2017-3218

Mitre link : CVE-2017-3218

CVE.ORG link : CVE-2017-3218

JSON object : View

Products Affected

samsung

magician

CWE

CWE-345

Insufficient Verification of Data Authenticity

CWE-295

Improper Certificate Validation

CWE-311

Missing Encryption of Sensitive Data

{"id": "CVE-2017-3218", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 8.3, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2017-06-21T20:29:00.220", "references": [{"url": "http://www.securityfocus.com/bid/99081", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cret@cert.org"}, {"url": "https://www.kb.cert.org/vuls/id/846320", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cret@cert.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-345"}]}, {"type": "Secondary", "source": "cret@cert.org", "description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-311"}]}], "descriptions": [{"lang": "en", "value": "Samsung Magician 5.0 fails to validate TLS certificates for HTTPS software update traffic. Prior to version 5.0, Samsung Magician uses HTTP for software updates."}, {"lang": "es", "value": "Samsung Magician 5.0 no valida certificados TLS para el tr\u00e1fico de actualizaci\u00f3n de software HTTPS. En versiones anteriores a la 5.0, Samsung Magician emplea HTTP para las actualizaciones de software."}], "lastModified": "2019-10-09T23:27:24.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:samsung:magician:5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2C01892-F651-4637-8E77-DDCBF72485B4"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}