Multiple vulnerabilities in Cisco Integrated Management Controller and Cisco UCS Director
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2019-12634 CVE-2019-1885 CVE-2019-1974 CVE-2019-1937 CVE-2019-1936 CVE-2019-1935 CVE-2019-1908 CVE-2019-1907 CVE-2019-1900 CVE-2019-1896 CVE-2019-1865 CVE-2019-1863 CVE-2019-1634 |
| CWE-ID | CWE-264 CWE-78 CWE-287 CWE-20 CWE-798 CWE-200 CWE-285 CWE-476 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. |
| Vulnerable software Subscribe |
Cisco UCS Director Express for Big Data Server applications / Other server solutions Cisco UCS Director Server applications / Other server solutions Cisco Integrated Management Controller Supervisor Web applications / Remote management & hosting panels Cisco Integrated Management Controller Server applications / Remote management servers, RDP, SSH |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU20379
Risk: High
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12634
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause a denial of service (DoS) condition.
The vulnerability exists due to a missing authentication check in an API call in the web-based management interface. A remote attacker can send a specially crafted request and cause all currently authenticated users to be logged off. Repeated exploitation could cause the inability to maintain a session in the web-based management portal.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco UCS Director Express for Big Data: 3.6.0.0 - 3.7.2.0
Cisco UCS Director: 6.6.0.0 - 6.7.2.0
Cisco Integrated Management Controller Supervisor: 2.2.0.3 - 2.2.0.6
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-imc-dos
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) OS Command Injection
EUVDB-ID: #VU20380
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1885
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient validation of user-supplied input in the Redfish protocol. A remote authenticated attacker can send a specially crafted commands to the web-based management interface and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
This vulnerability affects the following Cisco products that are running Cisco IMC Software:
- UCS C-Series and S-Series Servers in standalone mode
Install updates from vendor's website.
Vulnerable software versionsCisco Integrated Management Controller: 3.0 - 4.0
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-cimc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Authentication
EUVDB-ID: #VU20427
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1974
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists in the web-based management interface due to insufficient request header validation during the authentication process. A remote attacker can send a series of malicious requests to an affected device, bypass authentication process and gain full administrative access.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco UCS Director Express for Big Data: 2.1.0.0 - 3.7.2.0
Cisco UCS Director: 5.5.0.0 - 6.7.2.0
Cisco Integrated Management Controller Supervisor: 2.1 - 2.2.0.6
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper Authentication
EUVDB-ID: #VU20429
Risk: High
CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2019-1937
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists in the web-based management interface due to insufficient request header validation during the authentication process. A remote attacker can send a series of malicious requests to an affected device, use the acquired session token and gain full administrator access to the affected device.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco UCS Director Express for Big Data: 3.6.0.0 - 3.7.1.0
Cisco UCS Director: 6.6.0.0 - 6.6.1.0
Cisco Integrated Management Controller Supervisor: 2.2.0.3 - 2.2.0.6
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
5) Input validation error
EUVDB-ID: #VU20430
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2019-1936
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to insufficient validation of user-supplied input by the web-based management interface. A remote authenticated administrator can log in to the web-based management interface, send a malicious request to a certain part of the interface and execute arbitrary commands on the underlying Linux shell.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco UCS Director Express for Big Data: 3.0.0.0 - 3.7.1.0
Cisco UCS Director: 6.0.0.0 - 6.7.1.0
Cisco Integrated Management Controller Supervisor: 2.1 - 2.2.0.6
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
6) Use of hard-coded credentials
EUVDB-ID: #VU20431
Risk: High
CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2019-1935
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. A remote unauthenticated attacker can log in to the CLI of an affected system by using the SCP User account (scpuser) with default user credentials and execute arbitrary commands on the target system. This includes full read and write access to the system's database.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco UCS Director Express for Big Data: 3.0.0.0 - 3.7.1.0
Cisco UCS Director: 6.0.0.0 - 6.7.1.0
Cisco Integrated Management Controller Supervisor: 2.1 - 2.2.0.6
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
7) Information disclosure
EUVDB-ID: #VU20447
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1908
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists in the Intelligent Platform Management Interface (IPMI) implementation due to insufficient security restrictions. A remote attacker can view sensitive information that belongs to other users.
Note: This vulnerability affects Cisco UCS C-Series and S-Series Servers in standalone mode running a vulnerable release of Cisco IMC Software.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco Integrated Management Controller: 2.0 - 4.0
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-infodisc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper Authorization
EUVDB-ID: #VU20448
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1907
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionInstall updates from vendor's website.
Vulnerable software versionsCisco Integrated Management Controller: 4.0
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privescal
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) NULL pointer dereference
EUVDB-ID: #VU20449
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1900
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in the web server due to insufficient validation of user-supplied input on the web interface. A remote attacker can submit a specially crafted HTTP request to certain endpoints of the affected software and crash the web server.
Physical access to the device may be required for a restart.
Note: This vulnerability affects Cisco UCS C-Series and S-Series Servers in standalone mode if they are running a vulnerable release of Cisco IMC Software.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco Integrated Management Controller: 4.0
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-dos
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) OS Command Injection
EUVDB-ID: #VU20450
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1896
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient validation of user-supplied input in the Certificate Signing Request (CSR) function in the web-based management interface. A remote authenticated administrator can submit a specially crafted CSR and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco Integrated Management Controller: 2.0 - 4.0
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) OS Command Injection
EUVDB-ID: #VU20451
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1865
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient validation of user-supplied input in the web-based management interface. A remote authenticated attacker can invoke an interface monitoring mechanism with a crafted argument and inject and execute arbitrary, system-level commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
This vulnerability affects the following products that are running Cisco IMC Software:
- UCS C-Series and S-Series Servers in standalone mode
- UCS E-Series Servers
- 5000 Series Enterprise Network Compute System (ENCS) Platforms
Mitigation
Install updates from vendor's website.
Vulnerable software versionsCisco Integrated Management Controller: 1.5 - 4.0
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper Authorization
EUVDB-ID: #VU20452
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1863
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
Description- UCS C-Series and S-Series Servers in standalone mode
- UCS E-Series Servers
- 5000 Series Enterprise Network Compute System (ENCS) Platforms
Install updates from vendor's website.
Vulnerable software versionsCisco Integrated Management Controller: 1.5 - 4.0
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privilege
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) OS Command Injection
EUVDB-ID: #VU20453
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1634
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient input validation of user-supplied commands in the Intelligent Platform Management Interface (IPMI). A remote authenticated administrator with access to the network where the IPMI resides can submit a specially crafted input to the affected commands and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
This vulnerability affects the following products that are running Cisco IMC Software:
- UCS C-Series and S-Series Servers in standalone mode
- UCS E-Series Servers
- 5000 Series Enterprise Network Compute System (ENCS) Platforms
Mitigation
Install updates from vendor's website.
Vulnerable software versionsCisco Integrated Management Controller: 1.5 - 4.0
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
