Cryptographic issues in vSphere Data Protection - CVE-2014-4632
Published: February 1, 2015 / Updated: August 9, 2020
Vulnerability identifier: #VU40920
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-4632
CWE-ID: CWE-310
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: VMware, Inc
Affected software:
vSphere Data Protection
vSphere Data Protection
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 and the proxy client in EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x do not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certificate.
How to mitigate CVE-2014-4632
Install update from vendor's website.