Pierluigi Paganini August 29, 2019

An expert published technical details of recently disclosed Cisco Unified Computing System (UCS) flaws that can be exploited to take complete control of vulnerable systems.

Security researcher Pedro Ribeiro, aka “bashis,” has released the details of three the recently addressed vulnerabilities in the Cisco Unified Computing System (UCS) products along with Metasploit modules for their exploitation.

Last week, Cisco released security fixes to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products, including Integrated Management Controller (IMC), UCS Director, and UCS Director Express for Big Data.

Most of the flaws affect the Integrated Management Controller (IMC) that is a baseboard management controller that provides embedded server management for Cisco Unified Computing System (UCS) servers.

Some of the flaws addressed by Cisco have been reported by the security researcher Pedro Ribeiro, the expert now announced that he has released the details of three vulnerabilities that can be exploited by attackers to gain complete control over affected systems.

“Due to several coding errors, it is possible for an unauthenticated remote attacker with no privileges to bypass authentication and abuse a password change function to inject arbitrary commands and execute code as root. In addition, there is a default unprivileged user with a known password that can login via SSH and execute commands on the virtual appliance provided by Cisco.” wrote the expert. “Two Metasploit modules were released with this advisory, one that exploits the authentication bypass and command injection, and another that exploits the default SSH password.”

The CVE-2019-1935 flaw in Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could be exploited by an unauthenticated, remote attacker to log in to the CLI of an affected system by using the SCP User account (scpuser), which has default user credentials.

“The vulnerability is due to the presence of a documented default account with an undocumented default password and incorrect permission settings for that account.” reads the security advisory published by Cisco. “Changing the default password for this account is not enforced during the installation of the product. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to execute arbitrary commands with the privileges of the scpuser account. This includes full read and write access to the system’s database.”

Ribeiro discovered that the above user can log in via SSH with the default password.

Ribeiro also found the CVE-2019-1936 flaw that could be exploited by an authenticated attacker to execute arbitrary commands on the underlying Linux shell with root permissions. This vulnerability could be exploited only by an authenticated attacker, but the authentication could be obtained by triggering the CVE-2019-1937.

“A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication.” reads the advisory for the CVE-2019-1937 flaw.

“The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.”

Riberio explained that an unauthenticated attacker could chain the CVE-2019-1936 and CVE-2019-1937 to execute code as root and take complete control of the vulnerable product.

Ribeiro has developed two Metasploit modules, one that exploits the authentication bypass and command injection, and another that exploits the default SSH password.

Pierluigi Paganini

(SecurityAffairs – Cisco Unified Computing System, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]