Vulnerabilities > CVE-2020-3250 - Improper Privilege Management vulnerability in Cisco UCS Director and UCS Director Express for BIG Data

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
cisco
CWE-269
critical
nessus
metasploit

Summary

Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Metasploit

descriptionThis module exploits an authentication bypass and directory traversals in Cisco UCS Director < 6.7.4.0 to leak the administrator's REST API key and execute a Cloupia script containing an arbitrary root command. Note that the primary functionality of this module is to leverage the Cloupia script interpreter to execute code. This functionality is part of the application's intended operation and considered a "foreverday." The authentication bypass and directory traversals only get us there. If you already have an API key, you may set it in the API_KEY option. The LEAK_FILE option may be set if you wish to leak the API key from a different absolute path, but normally this isn't advisable. Tested on Cisco's VMware distribution of 6.7.3.0.
idMSF:EXPLOIT/LINUX/HTTP/CISCO_UCS_CLOUPIA_SCRIPT_RCE
last seen2020-06-12
modified2020-05-05
published2020-04-27
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/cisco_ucs_cloupia_script_rce.rb
titleCisco UCS Director Cloupia Script RCE

Nessus

NASL familyCISCO
NASL idCISCO-SA-UCSD-MULT-VULNS-UNFPDW4E.NASL
descriptionAccording to its self-reported version, the remote host is running a version of Cisco UCS Director that is affected by multiple vulnerabilities in the REST API which allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device, including the following: - An unauthenticated, remote attacker can bypass authentication and execute arbitrary actions with administrative privileges on an affected device due to insufficient access control validation. An attacker can exploit this vulnerability by sending a crafted request to the REST API, allowing the attacker to interact with the REST API with administrative privileges. (CVE-2020-3243) - An unauthenticated, remote attacker can execute arbitrary code with root privileges on the underlying operating system due to improper input validation. An attacker can exploit this by crafting a malicious file and sending it to the REST API. (CVE-2020-3240) - An unauthenticated, remote attacker can bypass authentication and execute API calls on an affected device due to insufficient access control validation. An attacker can exploit this by sending a request to the REST API endpoint in order to cause a potential Denial of Service (DoS) condition on the affected device. (CVE-2020-3250) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen2020-06-10
modified2020-04-21
plugin id135766
published2020-04-21
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/135766
titleCisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E)
code
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(135766);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/08");

  script_cve_id(
    "CVE-2020-3239",
    "CVE-2020-3240",
    "CVE-2020-3243",
    "CVE-2020-3247",
    "CVE-2020-3248",
    "CVE-2020-3249",
    "CVE-2020-3250",
    "CVE-2020-3251",
    "CVE-2020-3252"
  );
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs53493");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs53496");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs53500");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs53502");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs56399");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs56400");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs56401");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs69022");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvs69171");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39489");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39526");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39535");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39555");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39561");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39565");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39575");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvt39580");

  script_name(english:"Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the remote host is running a version of Cisco UCS Director that is affected by
multiple vulnerabilities in the REST API which allow a remote attacker to bypass authentication or conduct directory
traversal attacks on an affected device, including the following:

  - An unauthenticated, remote attacker can bypass authentication and execute arbitrary actions with
    administrative privileges on an affected device due to insufficient access control validation. An
    attacker can exploit this vulnerability by sending a crafted request to the REST API, allowing the
    attacker to interact with the REST API with administrative privileges. (CVE-2020-3243)

  - An unauthenticated, remote attacker can execute arbitrary code with root privileges on the underlying
    operating system due to improper input validation. An attacker can exploit this by crafting a malicious
    file and sending it to the REST API. (CVE-2020-3240)

  - An unauthenticated, remote attacker can bypass authentication and execute API calls on an affected device
    due to insufficient access control validation. An attacker can exploit this by sending a request to the
    REST API endpoint in order to cause a potential Denial of Service (DoS) condition on the affected device.
    (CVE-2020-3250)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53493");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53496");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53500");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53502");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs56399");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs56400");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs56401");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs69022");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs69171");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39489");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39526");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39535");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39555");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39561");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39565");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39575");
  script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39580");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bbbadbc7");
  script_set_attribute(attribute:"solution", value:
"Apply the patch or upgrade to the version recommended in Cisco advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3243");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Cisco UCS Director Cloupia Script RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/04/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/21");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:ucs_director");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ucs_director_detect.nbin");
  script_require_keys("Host/Cisco/UCSDirector/version");

  exit(0);
}

include('vcf.inc');

app_info = vcf::get_app_info(app:'Cisco UCS Director', kb_ver:'Host/Cisco/UCSDirector/version');

fix = '6.7.4.0';
constraints = [
  { 'equal' : '6.0.0.0', 'fixed_display': fix},
  { 'equal' : '6.0.0.1', 'fixed_display': fix},
  { 'equal' : '6.0.1.0', 'fixed_display': fix},
  { 'equal' : '6.0.1.1', 'fixed_display': fix},
  { 'equal' : '6.0.1.2', 'fixed_display': fix},
  { 'equal' : '6.0.1.3', 'fixed_display': fix},
  { 'equal' : '6.5.0.0', 'fixed_display': fix},
  { 'equal' : '6.5.0.1', 'fixed_display': fix},
  { 'equal' : '6.5.0.2', 'fixed_display': fix},
  { 'equal' : '6.5.0.3', 'fixed_display': fix},
  { 'equal' : '6.5.0.4', 'fixed_display': fix},
  { 'equal' : '6.6.0.0', 'fixed_display': fix},
  { 'equal' : '6.6.1.0', 'fixed_display': fix},
  { 'equal' : '6.6.2.0', 'fixed_display': fix},
  { 'equal' : '6.7.0.0', 'fixed_display': fix},
  { 'equal' : '6.7.1.0', 'fixed_display': fix},
  { 'equal' : '6.7.2.0', 'fixed_display': fix},
  { 'equal' : '6.7.3.0', 'fixed_display': fix}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/157955/cisco_ucs_cloupia_script_rce.rb.txt
idPACKETSTORM:157955
last seen2020-06-06
published2020-06-05
reportermr_me
sourcehttps://packetstormsecurity.com/files/157955/Cisco-UCS-Director-Cloupia-Script-Remote-Code-Execution.html
titleCisco UCS Director Cloupia Script Remote Code Execution