SB2019082810 - Multiple vulnerabilities in Cisco Integrated Management Controller and Cisco UCS Director

Description

This security bulletin contains information about 13 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-12634)

The vulnerability allows a remote attacker to cause a denial of service (DoS) condition.

The vulnerability exists due to a missing authentication check in an API call in the web-based management interface. A remote attacker can send a specially crafted request and cause all currently authenticated users to be logged off. Repeated exploitation could cause the inability to maintain a session in the web-based management portal.  

2) OS Command Injection (CVE-ID: CVE-2019-1885)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in the Redfish protocol. A remote authenticated attacker can send a specially crafted commands to the web-based management interface and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

This vulnerability affects the following Cisco products that are running Cisco IMC Software:

• UCS C-Series and S-Series Servers in standalone mode 

3) Improper Authentication (CVE-ID: CVE-2019-1974)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists in the web-based management interface due to insufficient request header validation during the authentication process. A remote attacker can send a series of malicious requests to an affected device, bypass authentication process and gain full administrative access.

4) Improper Authentication (CVE-ID: CVE-2019-1937)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists in the web-based management interface due to insufficient request header validation during the authentication process. A remote attacker can send a series of malicious requests to an affected device, use the acquired session token and gain full administrator access to the affected device.

5) Input validation error (CVE-ID: CVE-2019-1936)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input by the web-based management interface. A remote authenticated administrator can log in to the web-based management interface, send a malicious request to a certain part of the interface and execute arbitrary commands on the underlying Linux shell.

6) Use of hard-coded credentials (CVE-ID: CVE-2019-1935)

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account. A remote unauthenticated attacker can log in to the CLI of an affected system by using the SCP User account (scpuser) with default user credentials and execute arbitrary commands on the target system. This includes full read and write access to the system's database.

7) Information disclosure (CVE-ID: CVE-2019-1908)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists in the Intelligent Platform Management Interface (IPMI) implementation due to insufficient security restrictions. A remote attacker can view sensitive information that belongs to other users.

Note: This vulnerability affects Cisco UCS C-Series and S-Series Servers in standalone mode running  a vulnerable release of Cisco IMC Software.

8) Improper Authorization (CVE-ID: CVE-2019-1907)

9) NULL pointer dereference (CVE-ID: CVE-2019-1900)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the web server due to insufficient validation of user-supplied input on the web interface. A remote attacker can submit a specially crafted HTTP request to certain endpoints of the affected software and crash the web server.

Physical access to the device may be required for a restart.

Note: This vulnerability affects Cisco UCS C-Series and S-Series Servers in standalone mode if they are running a vulnerable release of Cisco IMC Software.

10) OS Command Injection (CVE-ID: CVE-2019-1896)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in the Certificate Signing Request (CSR) function in the web-based management interface. A remote authenticated administrator can submit a specially crafted CSR and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

11) OS Command Injection (CVE-ID: CVE-2019-1865)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in the web-based management interface. A remote authenticated attacker can invoke an interface monitoring mechanism with a crafted argument and inject and execute arbitrary, system-level commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

This vulnerability affects the following products that are running Cisco IMC Software:

• UCS C-Series and S-Series Servers in standalone mode
• UCS E-Series Servers
• 5000 Series Enterprise Network Compute System (ENCS) Platforms

12) Improper Authorization (CVE-ID: CVE-2019-1863)

13) OS Command Injection (CVE-ID: CVE-2019-1634)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient input validation of user-supplied commands in the Intelligent Platform Management Interface (IPMI). A remote authenticated administrator with access to the network where the IPMI resides can submit a specially crafted input to the affected commands and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

This vulnerability affects the following products that are running Cisco IMC Software:

• UCS C-Series and S-Series Servers in standalone mode
• UCS E-Series Servers
• 5000 Series Enterprise Network Compute System (ENCS) Platforms

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-imc-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-cimc
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authbypass
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-infodisc
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privescal
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinject-1896
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinj-1865
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privilege
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinject-1634