ESB-2019.3212.3

Operating System:

Published:

02 September 2019

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Resources > Security Bulletins > ESB-2019.3212.3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2019.3212.3
Multiple vulnerabilities in Cisco Integrated Management
Controller and Cisco UCS Director
2 September 2019

===========================================================================

AusCERT Security Bulletin Summary
---------------------------------

Product: Cisco Integrated Management Controller
Cisco UCS Director
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-12634 CVE-2019-1937 CVE-2019-1936
CVE-2019-1935 CVE-2019-1908 CVE-2019-1907
CVE-2019-1900 CVE-2019-1896 CVE-2019-1885
CVE-2019-1883 CVE-2019-1871 CVE-2019-1865
CVE-2019-1864 CVE-2019-1863 CVE-2019-1850
CVE-2019-1634

Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-imc-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privescal
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-privilege
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-infodisc
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinj-1850
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinj-1864
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinj-1865
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinject-1634
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-ucs-cimc
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-cmdinject-1896
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-cimc-cli-inject
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imc-bo

Comment: This bulletin contains sixteen (16) Cisco Systems security
advisories.

Revision History: September 2 2019: Publicly available exploits for
CVE-2019-1937, CVE-2019-1936 and
CVE-2019-1935
September 2 2019: Announcement of publicly available
exploits for CVE-2019-1937,
CVE-2019-1936 and CVE-2019-1935
August 22 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Integrated Management Controller Unauthenticated Denial of Service
Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-imc-dos

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvo36063

CVE-2019-1900

CWE-476

CVSS Score:
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the web server of Cisco Integrated Management Controller
(IMC) could allow an unauthenticated, remote attacker to cause the web
server process to crash, causing a denial of service (DoS) condition on an
affected system.

The vulnerability is due to insufficient validation of user-supplied input
on the web interface. An attacker could exploit this vulnerability by
submitting a crafted HTTP request to certain endpoints of the affected
software. A successful exploit could allow an attacker to cause the web
server to crash. Physical access to the device may be required for a
restart.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-dos

Affected Products

o Vulnerable Products

This vulnerability affects Cisco UCS C-Series and S-Series Servers in
standalone mode if they are running a vulnerable release of Cisco IMC
Software.

For information about fixed software releases, see the Fixed Software
section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco products:

UCS E-Series Servers
5000 Series Enterprise Network Compute System
FI-Attached servers managed by UCS Manager, including B-Series,
C-Series, and S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.

When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Customers are advised to upgrade to the appropriate Cisco UCS C-Series and
S-Series software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 Not vulnerable
2.0 Not vulnerable
3.0 Not vulnerable
4.0 4.0(2f)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

1. Click Browse all .
2. Navigate to Servers - Unified Computing > UCS C-Series Rack-Mount
Standalone Server Software .
3. In the right pane, choose the appropriate Cisco UCS C-Series platform.
4. On the Select a Software Type page, click Unified Computing System
(UCS) Server Firmware .
5. Access releases by using the left pane of the page.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-dos

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and
Cisco UCS Director Express for Big Data SCP User Default Credentials
Vulnerability

Priority: Critical

Advisory ID: cisco-sa-20190821-imcs-usercred

First Published: 2019 August 21 16:00 GMT

Last Updated: 2019 August 30 12:38 GMT

Version 1.1: Final

Workarounds: YesCisco Bug IDs: CSCvp19251

CVE-2019-1935

CWE-798

CVSS Score:
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in Cisco Integrated Management Controller (IMC) Supervisor,
Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow
an unauthenticated, remote attacker to log in to the CLI of an affected
system by using the SCP User account ( scpuser ), which has default user
credentials.

The vulnerability is due to the presence of a documented default account
with an undocumented default password and incorrect permission settings for
that account. Changing the default password for this account is not
enforced during the installation of the product. An attacker could exploit
this vulnerability by using the account to log in to an affected system. A
successful exploit could allow the attacker to execute arbitrary commands
with the privileges of the scpuser account. This includes full read and
write access to the system's database.

Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imcs-usercred

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products:

Cisco IMC Supervisor releases:

2.1
2.2.0.0 through 2.2.0.6

Cisco UCS Director releases:

6.0
6.5
6.6.0.0 and 6.6.1.0
6.7.0.0 and 6.7.1.0

Cisco UCS Director Express for Big Data releases:

3.0
3.5
3.6
3.7.0.0 and 3.7.1.0

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Workarounds

o Setting a custom password for the scpuser account under Administration >
Users and Groups > SCP User Configuration will prevent exploitation of this
vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco fixed this vulnerability in the following software releases:

Cisco Integrated Management Controller Supervisor releases 2.2.1.0 and
later
Cisco UCS Director releases 6.7.2.0 and later (recommended: 6.7.3.0)
Cisco UCS Director Express for Big Data releases 3.7.2.0 and later
(recommended: 3.7.3.0)

Customers can download the Cisco IMC Supervisor software from the Software
Center on Cisco.com by doing the following:

1. Click Browse all .
2. Choose Servers - Unified Computing > Integrated Management Controller
(IMC) Supervisor > IMC Supervisor 2.x .
3. Access releases by using the left pane of the IMC Supervisor 2.x page.

Customers can download the Cisco UCS Director software from the Software
Center on Cisco.com by doing the following:

1. Click Browse all .
2. Choose Servers - Unified Computing > UCS Director > UCS Director 6.7 .
3. Access releases by using the left pane of the UCS Director 6.7 page.

Customers can download the Cisco UCS Director Express for Big Data software
from the Software Center on Cisco.com by doing the following:

1. Click Browse all .
2. Choose Servers - Unified Computing > UCS Director > UCS Director
Express for Big Data 3.7 .
3. Access releases by using the left pane of the UCS Director Express for
Big Data 3.7 page.

Exploitation and Public Announcements

o Security researcher Pedro Ribeiro has published details on this
vulnerability in his GitHub repository and has also released corresponding
Metasploit modules.

Source

o Cisco would like to thank independent security researcher Pedro Ribeiro for
reporting this vulnerability to iDefense's Vulnerability Contributor
Program.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imcs-usercred

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and
Cisco UCS Director Express for Big Data Denial of Service Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-ucs-imc-dos

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvq89223

CVE-2019-12634

CWE-264

CVSS Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the web-based management interface of Cisco Integrated
Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS
Director Express for Big Data could allow an unauthenticated, remote
attacker to cause a denial of service (DoS) condition.

The vulnerability is due to a missing authentication check in an API call.
An attacker who can send a request to an affected system could cause all
currently authenticated users to be logged off. Repeated exploitation could
cause the inability to maintain a session in the web-based management
portal.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-ucs-imc-dos

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products:

Cisco IMC Supervisor releases:

2.2.0.3 through 2.2.0.6

Cisco UCS Director releases:

6.6.0.0 and 6.6.1.0
6.7.0.0 through 6.7.2.0

Cisco UCS Director Express for Big Data releases:

3.6.0.0 and 3.6.1.0
3.7.0.0 through 3.7.2.0

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco fixed this vulnerability in the following software releases:

Cisco IMC Supervisor releases 2.2.1.0 and later
Cisco UCS Director releases 6.7.3.0 and later
Cisco UCS Director Express for Big Data releases 3.7.3.0 and later

At the time of publication, fixes for UCS Director 6.6 were expected to be
available by late August 2019.

Customers can download the Cisco IMC Supervisor software from the Software
Center on Cisco.com by doing the following:

Customers can download the Cisco UCS Director software from the Software
Center on Cisco.com by doing the following:

1. Click Browse all .
2. Choose Servers - Unified Computing > UCS Director > UCS Director 6.7 .
3. Access releases by using the left pane of the UCS Director 6.7 page.

Customers can download the Cisco UCS Director Express for Big Data software
from the Software Center on Cisco.com by doing the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during the resolution of a Cisco TAC support
case.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-ucs-imc-dos

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and
Cisco UCS Director Express for Big Data Command Injection Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-imcs-ucs-cmdinj

First Published: 2019 August 21 16:00 GMT

Last Updated: 2019 August 30 12:33 GMT

Version 1.1: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvp19245

CVE-2019-1936

CWE-20

CVSS Score:
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the web-based management interface of Cisco Integrated
Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS
Director Express for Big Data could allow an authenticated, remote attacker
to execute arbitrary commands on the underlying Linux shell as the root
user. Exploitation of this vulnerability requires privileged access to an
affected device.

The vulnerability is due to insufficient validation of user-supplied input
by the web-based management interface. An attacker could exploit this
vulnerability by logging in to the web-based management interface with
administrator privileges and then sending a malicious request to a certain
part of the interface.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imcs-ucs-cmdinj

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products:

Cisco IMC Supervisor releases:

2.1
2.2.0.0 through 2.2.0.6

Cisco UCS Director releases:

6.0
6.5
6.6.0.0 and 6.6.1.0
6.7.0.0 and 6.7.1.0

Cisco UCS Director Express for Big Data releases:

3.0
3.5
3.6
3.7.0.0 and 3.7.1.0

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco fixed this vulnerability in the following software releases:

Cisco IMC Supervisor releases 2.2.1.0 and later
Cisco UCS Director releases 6.7.2.0 and later (recommended: 6.7.3.0)
Cisco UCS Director Express for Big Data releases 3.7.2.0 and later
(recommended: 3.7.3.0)

Customers can download the Cisco IMC Supervisor software from the Software
Center on Cisco.com by doing the following:

Customers can download the Cisco UCS Director software from the Software
Center on Cisco.com by doing the following:

1. Click Browse all .
2. Choose Servers - Unified Computing > UCS Director > UCS Director 6.7 .
3. Access releases by using the left pane of the UCS Director 6.7 page.

Customers can download the Cisco UCS Director Express for Big Data software
from the Software Center on Cisco.com by doing the following:

Exploitation and Public Announcements

o Security researcher Pedro Ribeiro has published details on this
vulnerability in his GitHub repository and has also released corresponding
Metasploit modules.

Source

o Cisco would like to thank independent security researcher Pedro Ribeiro for
reporting this vulnerability to iDefense's Vulnerability Contributor
Program.

Cisco Security Vulnerability Policy

Action Links for This Advisory

o Snort Rule 50903

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imcs-ucs-cmdinj

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller Supervisor, Cisco UCS Director, and
Cisco UCS Director Express for Big Data Authentication Bypass Vulnerability

Priority: Critical

Advisory ID: cisco-sa-20190821-imcs-ucs-authby

First Published: 2019 August 21 16:00 GMT

Last Updated: 2019 August 30 12:30 GMT

Version 1.1: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvp19229

CVE-2019-1937

CWE-287

CVSS Score:
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

The vulnerability is due to insufficient request header validation during
the authentication process. An attacker could exploit this vulnerability by
sending a series of malicious requests to an affected device. An exploit
could allow the attacker to use the acquired session token to gain full
administrator access to the affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imcs-ucs-authby

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products:

Cisco IMC Supervisor releases:

2.2.0.3 through 2.2.0.6

Cisco UCS Director releases:

6.6.0.0 and 6.6.1.0
6.7.0.0 and 6.7.1.0

Cisco UCS Director Express for Big Data releases:

3.6
3.7.0.0 and 3.7.1.0

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco fixed this vulnerability in the following software releases:

Customers can download the Cisco IMC Supervisor software from the Software
Center on Cisco.com by doing the following:

Customers can download the Cisco UCS Director software from the Software
Center on Cisco.com by doing the following:

1. Click Browse all .
2. Choose Servers - Unified Computing > UCS Director > UCS Director 6.7 .
3. Access releases by using the left pane of the UCS Director 6.7 page.

Customers can download the Cisco UCS Director Express for Big Data software
from the Software Center on Cisco.com by doing the following:

Exploitation and Public Announcements

o Security researcher Pedro Ribeiro has published details on this
vulnerability in his GitHub repository and has also released corresponding
Metasploit modules.

Source

o Cisco would like to thank independent security researcher Pedro Ribeiro for
reporting this vulnerability to iDefense's Vulnerability Contributor
Program.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imcs-ucs-authby

Revision History

- -------------------------------------------------------------------------------

Cisco Integrated Management Controller Substring Comparison Privilege
Escalation Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-imc-privescal

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvo36080

CVE-2019-1907

CWE-285

CVSS Score:
8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the web server of Cisco Integrated Management Controller
(IMC) could allow an authenticated, remote attacker to set sensitive
configuration values and gain elevated privileges.

The vulnerability is due to improper handling of substring comparison
operations that are performed by the affected software. An attacker could
exploit this vulnerability by sending a crafted HTTP request to the
affected software. A successful exploit could allow the attacker with
read-only privileges to gain administrator privileges.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-privescal

Affected Products

o Vulnerable Products

This vulnerability affects Cisco UCS C-Series and S-Series Servers in
standalone mode if they are running a vulnerable release of Cisco IMC
Software.

For information about fixed software releases, consult the Fixed Software
section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco products:

UCS E-Series Servers
5000 Series Enterprise Network Compute System
FI-Attached servers managed by UCS Manager, including B-Series,
C-Series, and S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Customers are advised to upgrade to the appropriate Cisco UCS C-Series and
S-Series software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 Not vulnerable
2.0 Not vulnerable
3.0 Not vulnerable
4.0 4.0(2f), 4.0(4b)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-privescal

Revision History

- -----------------------------------------------------------------------------

Cisco Integrated Management Controller Privilege Escalation Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-imc-privilege

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvn21011

CVE-2019-1863

CWE-285

CVSS Score:
6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:X/RL:X/RC:X

Summary

o A vulnerability in the web-based management interface of Cisco Integrated
Management Controller (IMC) Software could allow an authenticated, remote
attacker to make unauthorized changes to the system configuration.

The vulnerability is due to insufficient authorization enforcement. An
attacker could exploit this vulnerability by sending a crafted HTTP request
to the affected software. A successful exploit could allow a user with
read-only privileges to change critical system configurations using
administrator privileges.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-privilege

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco IMC Software:

UCS C-Series and S-Series Servers in standalone mode
UCS E-Series Servers
5000 Series Enterprise Network Compute System (ENCS) Platforms

For information about affected software releases, consult the Fixed
Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco FI-Attached servers that are managed by UCS Manager:

UCS B-Series Servers
UCS C-Series Servers
UCS S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco UCS C-Series and S-Series Servers

Customers are advised to upgrade to the appropriate Cisco UCS C-Series and
S-Series software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 1.5(9g)
2.0 2.0(13o)
3.0 3.0(4k)
4.0 4.0(1d), 4.0(2c), 4.0(4b)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

Cisco UCS E-Series Servers

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco UCS E-Series Servers.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

1. Click Browse all .
2. Navigate to Servers - Unified Computing > UCS E-Series Software .
3. In the right pane, choose the appropriate Cisco UCS E-Series platform.
4. On the Select a Software Type page, click Unified Computing System
(UCS) Server Firmware .
5. Access releases by using the left pane of the page.

Cisco 5000 Series Enterprise Network Compute System Platforms

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco 5000 Series ENCS Platforms.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

1. Click Browse all .
2. Navigate to Routers > Network Functions Virtualization > 5000 Series
Enterprise Network Compute System .
3. In the right pane, choose the appropriate ENCS platform.
4. On the Select a Software Type page, click ENCS Software .
5. Access releases by using the left pane of the page.

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-privilege

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller Information Disclosure Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-imc-infodisc

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvo36096

CVE-2019-1908

CWE-200

CVSS Score:
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X

Summary

o A vulnerability in the Intelligent Platform Management Interface (IPMI)
implementation of Cisco Integrated Management Controller (IMC) could allow
an unauthenticated, remote attacker to view sensitive system information.

The vulnerability is due to insufficient security restrictions imposed by
the affected software. A successful exploit could allow the attacker to
view sensitive information that belongs to other users. The attacker could
then use this information to conduct additional attacks.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-infodisc

Affected Products

o Vulnerable Products

This vulnerability affects Cisco UCS C-Series and S-Series Servers in
standalone mode if they are running a vulnerable release of Cisco IMC
Software.

For information about fixed software releases, consult the Fixed Software
section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco products:

UCS E-Series Servers
5000 Series Enterprise Network Compute System
FI-Attached servers managed by UCS Manager, including UCS B-Series,
C-Series, and S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Customers are advised to upgrade to the appropriate Cisco UCS C-Series and
S-Series software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 Not vulnerable
2.0 2.0(13o)
3.0 3.0(4k)
4.0 4.0(2f), 4.0(4b)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-infodisc

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller Command Injection Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-imc-cmdinj-1850

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvn20998CSCvq09455

CVE-2019-1850

CWE-78

CVSS Score:
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the web-based management interface of Cisco Integrated
Management Controller (IMC) Software could allow an authenticated, remote
attacker to inject arbitrary commands that are executed with root
privileges on an affected device. An attacker would need to have valid
administrator credentials on the device.

The vulnerability is due to insufficient validation of user-supplied input
by the affected software. An attacker with elevated privileges could
exploit this vulnerability by sending crafted commands to the
administrative web management interface of the affected software. A
successful exploit could allow the attacker to inject and execute
arbitrary, system-level commands with root privileges on an affected
device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-cmdinj-1850

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products:

UCS C-Series and S-Series Servers in standalone mode that are running
Cisco IMC Software earlier than the first fixed releases of 3.0 and
4.0.
UCS E-Series Servers that are running Cisco IMC Software earlier than
the first fixed release of 3.2(8).
5000 Series Enterprise Network Compute System (ENCS) Platforms that are
running Cisco IMC Software earlier than the first fixed release of 3.2
(8).

For information about affected software releases, consult the Fixed
Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco FI-Attached servers that are managed by UCS Manager:

UCS B-Series Servers
UCS C-Series Servers
UCS S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Customers are advised to upgrade to the appropriate UCS C-Series and
S-Series software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 Not vulnerable
2.0 Not vulnerable
3.0 3.0(4k)
4.0 4.0(2f),4.0(4b)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco UCS E-Series Servers.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco 5000 Series Enterprise Network Compute System (ENCS) Platforms.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-cmdinj-1850

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller Command Injection Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-imc-cmdinj-1864

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvn21003

CVE-2019-1864

CWE-78

CVSS Score:
8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

The vulnerability is due to insufficient validation of command input by the
affected software. An attacker could exploit this vulnerability by sending
malicious commands to the web-based management interface of the affected
software. A successful exploit could allow the attacker, with read-only
privileges, to inject and execute arbitrary, system-level commands with
root privileges on an affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-cmdinj-1864

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco IMC Software:

UCS C-Series and S-Series Servers in standalone mode
UCS E-Series Servers
5000 Series Enterprise Network Compute System (ENCS) Platforms

For information about affected software releases, consult the Fixed
Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco FI-Attached servers managed by UCS Manager:

Cisco UCS B-Series Servers
Cisco UCS C-Series Servers
Cisco UCS S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco UCS C-Series and S-Series Servers

Customers are advised to upgrade to the appropriate UCS C-Series and
S-Series Software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 1.5(9g)
2.0 2.0(13o)
3.0 3.0(4k)
4.0 4.0(2f),4.0(4b)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

Cisco UCS E-Series Servers

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco UCS E-Series Servers.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Cisco 5000 Series Enterprise Network Compute System Platforms

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco 5000 Series Enterprise Network Compute System (ENCS) Platforms.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-cmdinj-1864

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller Command Injection Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-imc-cmdinj-1865

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvn20993

CVE-2019-1865

CWE-78

CVSS Score:
8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

The vulnerability is due to insufficient validation of user-supplied input
by the affected software. An attacker could exploit this vulnerability by
invoking an interface monitoring mechanism with a crafted argument on the
affected software. A successful exploit could allow the attacker to inject
and execute arbitrary, system-level commands with root privileges on an
affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-cmdinj-1865

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco IMC Software:

UCS C-Series and S-Series Servers in standalone mode
UCS E-Series Servers
5000 Series Enterprise Network Compute System (ENCS) Platforms

For information about affected software releases, consult the Fixed
Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco FI-Attached servers managed by UCS Manager:

Cisco UCS B-Series Servers
Cisco UCS C-Series Servers
Cisco UCS S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco UCS C-Series and S-Series Servers

Customers are advised to upgrade to the appropriate UCS C-Series and
S-Series Software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 1.5(9g)
2.0 2.0(13o)
3.0 3.0(4k)
4.0 4.0(1d),4.0(2c),4.0(4b)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

Cisco UCS E-Series Servers

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco UCS E-Series Servers.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Cisco 5000 Series Enterprise Network Compute System Platforms

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco 5000 Series Enterprise Network Compute System (ENCS) Platforms.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-cmdinj-1865

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller Command Injection Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-imc-cmdinject-1634

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvo35971

CVE-2019-1634

CWE-78

CVSS Score:
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the Intelligent Platform Management Interface (IPMI) of
Cisco Integrated Management Controller (IMC) could allow an authenticated,
remote attacker to inject arbitrary commands that are executed with root
privileges on the underlying operating system (OS).

The vulnerability is due to insufficient input validation of user-supplied
commands. An attacker who has administrator privileges and access to the
network where the IPMI resides could exploit this vulnerability by
submitting crafted input to the affected commands. A successful exploit
could allow the attacker to gain root privileges on the affected device.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-cmdinject-1634

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco IMC Software:

UCS C-Series and S-Series Servers in standalone mode
UCS E-Series Servers
5000 Series Enterprise Network Compute System (ENCS) Platforms

For information about affected software releases, consult the Fixed
Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco FI-Attached servers that are managed by UCS Manager:

UCS B-Series Servers
UCS C-Series Servers
UCS S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco UCS C-Series and S-Series Servers

Customers are advised to upgrade to the appropriate Cisco UCS C-Series and
S-Series software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 1.5(9g)
2.0 2.0(13o)
3.0 3.0(4k)
4.0 4.0(2f), 4.0(4b)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

Cisco UCS E-Series Servers

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco UCS E-Series Servers.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Cisco 5000 Series Enterprise Network Compute System Platforms

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco 5000 Series ENCS platforms.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-cmdinject-1634

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller Command Injection Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-ucs-cimc

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvo01180

CVE-2019-1885

CWE-78

CVSS Score:
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the Redfish protocol of Cisco Integrated Management
Controller (IMC) could allow an authenticated, remote attacker to inject
and execute arbitrary commands with root privileges on an affected device.

The vulnerability is due to insufficient validation of user-supplied input
by the affected software. An attacker could exploit this vulnerability by
sending crafted authenticated commands to the web-based management
interface of the affected software. A successful exploit could allow the
attacker to inject and execute arbitrary commands on an affected device
with root privileges.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-ucs-cimc

Affected Products

o Vulnerable Products

This vulnerability affects Cisco UCS C-Series and S-Series Servers in
Standalone mode that are running Cisco IMC Software prior to the first
fixed releases of 3.0 and 4.0.

For information about affected software releases, consult the Fixed
Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco products:

UCS E-Series Servers
5000 Series Enterprise Network Compute System
FI-Attached servers managed by UCS Manager, including UCS B-Series,
C-Series, and S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Customers are advised to upgrade to the appropriate UCS C-Series and
S-Series software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 Not vulnerable
2.0 Not vulnerable
3.0 3.0(4k)
4.0 4.0(2f),4.0(4b)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-ucs-cimc

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller CSR Generation Command Injection
Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-imc-cmdinject-1896

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvo36057

CVE-2019-1896

CWE-78

CVSS Score:
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the web-based management interface of Cisco Integrated
Management Controller (IMC) could allow an authenticated, remote attacker
to inject arbitrary commands and obtain root privileges.

The vulnerability is due to insufficient validation of user-supplied input
in the Certificate Signing Request (CSR) function of the web-based
management interface. An attacker could exploit this vulnerability by
submitting a crafted CSR in the web-based management interface. A
successful exploit could allow an attacker with administrator privileges to
execute arbitrary commands on the device with full root privileges.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-cmdinject-1896

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco IMC Software:

UCS C-Series and S-Series Servers in standalone mode
UCS E-Series Servers
5000 Series Enterprise Network Compute System (ENCS) Platforms

For information about affected software releases, consult the Fixed
Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco FI-Attached servers that are managed by UCS Manager:

UCS B-Series Servers
UCS C-Series Servers
UCS S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco UCS C-Series and S-Series Servers

Customers are advised to upgrade to the appropriate Cisco UCS C-Series and
S-Series software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 Not vulnerable
2.0 2.0(13o)
3.0 3.0(4k)
4.0 4.0(2f), 4.0(4b)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

Cisco UCS E-Series Servers

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco UCS E-Series Servers.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Cisco 5000 Series Enterprise Network Compute System Platforms

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco 5000 Series ENCS Platforms.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-cmdinject-1896

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller CLI Command Injection Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-cimc-cli-inject

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvo35996

CVE-2019-1883

CWE-78

CVSS Score:
7.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

o
A vulnerability in the command-line interface of Cisco Integrated
Management Controller (IMC) could allow an authenticated, local attacker
with read-only credentials to inject arbitrary commands that could allow
them to obtain root privileges.

The vulnerability is due to insufficient validation of user-supplied input
on the command-line interface. An attacker could exploit this vulnerability
by authenticating with read-only privileges via the CLI of an affected
device and submitting crafted input to the affected commands. A successful
exploit could allow an attacker to execute arbitrary commands on the device
with root privileges.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-cimc-cli-inject

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products:

For information about affected software releases, consult the Fixed
Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco FI-Attached servers managed by UCS Manager:
Cisco UCS B-Series Servers
Cisco UCS C-Series Servers
Cisco UCS S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Customers are advised to upgrade to the appropriate UCS C-Series and
S-Series software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 Not vulnerable
2.0 Not vulnerable
3.0 3.0(4k)
4.0 4.0(2f),4.0(4b)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco UCS E-Series Servers.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco 5000 Series Enterprise Network Compute System (ENCS) Platforms.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-cimc-cli-inject

Revision History

- ------------------------------------------------------------------------------

Cisco Integrated Management Controller Buffer Overflow Vulnerability

Priority: High

Advisory ID: cisco-sa-20190821-imc-bo

First Published: 2019 August 21 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds availableCisco Bug IDs: CSCvo36122

CVE-2019-1871

CWE-119

CVSS Score:
7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X

Summary

o A vulnerability in the Import Cisco IMC configuration utility of Cisco
Integrated Management Controller (IMC) could allow an authenticated, remote
attacker to cause a denial of service (DoS) condition and implement
arbitrary commands with root privileges on an affected device.

The vulnerability is due to improper bounds checking by the import-config
process. An attacker could exploit this vulnerability by sending malicious
packets to an affected device. When the packets are processed, an
exploitable buffer overflow condition may occur. A successful exploit could
allow the attacker to implement arbitrary code on the affected device with
elevated privileges.

Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-bo

Affected Products

o Vulnerable Products

This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco IMC Software:

UCS C-Series and S-Series Servers in standalone mode
UCS E-Series Servers
5000 Series Enterprise Network Compute System (ENCS) Platform

For information about affected software releases, consult the Fixed
Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect the following
Cisco FI-Attached servers managed by UCS Manager:

Cisco UCS B-Series Servers
Cisco UCS C-Series Servers
Cisco UCS S-Series Servers

Workarounds

o There are no workarounds that address this vulnerability.

Fixed Software

Customers Without Service Contracts

Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.

Fixed Releases

Cisco UCS C-Series and S-Series Servers

Customers are advised to upgrade to the appropriate UCS C-Series and
S-Series software release as indicated in the following table:

Cisco IMC Software Release First Fixed Release
1.4 Not vulnerable
1.5 Not vulnerable
2.0 Not vulnerable
3.0 3.0(4k)
4.0 4.0(2f),4.0(4b)

Customers can download Cisco IMC Software from the Software Center on
Cisco.com by doing the following:

Cisco UCS E-Series Servers

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco UCS E-Series Servers.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Cisco 5000 Series Enterprise Network Compute System (ENCS) Platforms

Cisco fixed this vulnerability in Cisco IMC Software Release 3.2(8) for
Cisco 5000 Series ENCS Platforms.

Customers can download the software from the Software Center on Cisco.com
by doing the following:

Exploitation and Public Announcements

o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.

Source

o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

URL

o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190821-imc-bo

Revision History

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXWxvtGaOgq3Tt24GAQh23Q//aI+SIegP5YWilR2RoOaNihyfT2rKXw0N
hs1jqiIlBeFRV81tWRLAd9ZxNs4NTWskuKNGxXrqO6ttKTacNQXMURW/CJG8KotE
HLlxE8Na27N2E/VHKUKJybNXtXv9IrBpxrRPxEWSqLgga3STVWq5W+mU0JvPHF6s
b9AsNmQxh+I/7pHjMgrOuVfGOYmRXYsX4w2iAg3OFgyP5MHYs145KWJCb2MpIjiG
Z0plmOZ4wgYYcBiKQsbZDFP4YZWTKU1ZU9Fil11Og3xlUMDP2HziSWCzzWbOMBMl
rzyA5OfH/CYr64V3+x4ymbZjTS7Hbyr1tMJgVD6H+g9rE6RZRBm+eck7j2A6WnAZ
kpUwaYvjjTE394M1TjdpmXqQG5COdfIjVNQfGle9oSea/WyqHedOf1cfpe1SwFZl
XkfzKW8AQO6JfOQGDiCr3upG/7cEGwcOCy2bDViph4TaLbKm2x70SPZjkHpX4f2j
tICGii5bkOF0xpqlDAkU7o148R8tB0dIVLFwGndrt8iPPnO7s5syvQ7OJBpSR4fm
BG3X3eYBFdf9QW3EwJnuaFqEe8F+xiEi7HUsszcSbmE5R/kPKcQHh4WcA3FHe8PH
I6KNZTA24S4sJ3il3ObJajDlVTZHMIYTke/rpF/FGjz6QszyXBBIC9Iv21BFq/My
R4NEcE1KgOQ=
=HfLb
-----END PGP SIGNATURE-----