CVE-2014-3911
critical
CVSS v3
—
CVSS v2
9.3
VIR risk
9.3
Description
Samsung iPOLiS Device Manager before 1.8.7 allow remote attackers to execute arbitrary code via unspecified values to the (1) Start, (2) ChangeControlLocalName, (3) DeleteDeviceProfile, (4) FrameAdvanceReader, or other unknown method in the XNSSDKDEVICE.XnsSdkDeviceCtrlForIpInstaller.1 ActiveX control.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://update.websamsung.net/Tools/iPOLiS%20Device%20Manager/iPOLiS%20Device%20Manager_v1.8.7_setup_Full.zip
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| samsung | ipolis_device_manager | {"endIncluding":"1.8.2"} | |
References
- http://update.websamsung.net/Tools/iPOLiS%20Device%20Manager/iPOLiS%20Device%20Manager_v1.8.7_setup_Full.zip
- http://www.securityfocus.com/bid/67822
- http://www.zerodayinitiative.com/advisories/ZDI-14-167/
- http://www.zerodayinitiative.com/advisories/ZDI-14-168/
- http://www.zerodayinitiative.com/advisories/ZDI-14-170/
- http://www.zerodayinitiative.com/advisories/ZDI-14-171/
- http://www.zerodayinitiative.com/advisories/ZDI-14-172/
- http://update.websamsung.net/Tools/iPOLiS%20Device%20Manager/iPOLiS%20Device%20Manager_v1.8.7_setup_Full.zip
- http://www.securityfocus.com/bid/67822
- http://www.zerodayinitiative.com/advisories/ZDI-14-167/
- http://www.zerodayinitiative.com/advisories/ZDI-14-168/
- http://www.zerodayinitiative.com/advisories/ZDI-14-170/
- http://www.zerodayinitiative.com/advisories/ZDI-14-171/
- http://www.zerodayinitiative.com/advisories/ZDI-14-172/
CWEs
CWE-94
Verify integrity in audit chain (admin only). AS-IS.