Vulnerabilities > CVE-2020-3243 - Improper Privilege Management vulnerability in Cisco UCS Director and UCS Director Express for BIG Data
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
Metasploit
description | This module exploits an authentication bypass and directory traversals in Cisco UCS Director < 6.7.4.0 to leak the administrator's REST API key and execute a Cloupia script containing an arbitrary root command. Note that the primary functionality of this module is to leverage the Cloupia script interpreter to execute code. This functionality is part of the application's intended operation and considered a "foreverday." The authentication bypass and directory traversals only get us there. If you already have an API key, you may set it in the API_KEY option. The LEAK_FILE option may be set if you wish to leak the API key from a different absolute path, but normally this isn't advisable. Tested on Cisco's VMware distribution of 6.7.3.0. |
id | MSF:EXPLOIT/LINUX/HTTP/CISCO_UCS_CLOUPIA_SCRIPT_RCE |
last seen | 2020-06-12 |
modified | 2020-05-05 |
published | 2020-04-27 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/cisco_ucs_cloupia_script_rce.rb |
title | Cisco UCS Director Cloupia Script RCE |
Nessus
NASL family | CISCO |
NASL id | CISCO-SA-UCSD-MULT-VULNS-UNFPDW4E.NASL |
description | According to its self-reported version, the remote host is running a version of Cisco UCS Director that is affected by multiple vulnerabilities in the REST API which allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device, including the following: - An unauthenticated, remote attacker can bypass authentication and execute arbitrary actions with administrative privileges on an affected device due to insufficient access control validation. An attacker can exploit this vulnerability by sending a crafted request to the REST API, allowing the attacker to interact with the REST API with administrative privileges. (CVE-2020-3243) - An unauthenticated, remote attacker can execute arbitrary code with root privileges on the underlying operating system due to improper input validation. An attacker can exploit this by crafting a malicious file and sending it to the REST API. (CVE-2020-3240) - An unauthenticated, remote attacker can bypass authentication and execute API calls on an affected device due to insufficient access control validation. An attacker can exploit this by sending a request to the REST API endpoint in order to cause a potential Denial of Service (DoS) condition on the affected device. (CVE-2020-3250) Note that Nessus has not tested for this issue but has instead relied only on the application |
last seen | 2020-06-10 |
modified | 2020-04-21 |
plugin id | 135766 |
published | 2020-04-21 |
reporter | This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/135766 |
title | Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E) |
code |
|
Packetstorm
data source | https://packetstormsecurity.com/files/download/157955/cisco_ucs_cloupia_script_rce.rb.txt |
id | PACKETSTORM:157955 |
last seen | 2020-06-06 |
published | 2020-06-05 |
reporter | mr_me |
source | https://packetstormsecurity.com/files/157955/Cisco-UCS-Director-Cloupia-Script-Remote-Code-Execution.html |
title | Cisco UCS Director Cloupia Script Remote Code Execution |
References
- http://packetstormsecurity.com/files/157955/Cisco-UCS-Director-Cloupia-Script-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/157955/Cisco-UCS-Director-Cloupia-Script-Remote-Code-Execution.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E
- https://www.zerodayinitiative.com/advisories/ZDI-20-540/
- https://www.zerodayinitiative.com/advisories/ZDI-20-540/