Vulnerabilities > CVE-2020-3250 - Improper Privilege Management vulnerability in Cisco UCS Director and UCS Director Express FOR BIG Data

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

cisco

CWE-269

nessus

metasploit

NVD

Published: 2020-04-15

Updated: 2020-06-05

Summary

Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.

Vulnerable Configurations

Part	Description	Count
Application	Cisco Cisco UCS Director 6.0.0.0 Cisco UCS Director 6.0.0.1 Cisco UCS Director 6.0.1.0 Cisco UCS Director 6.0.1.1 Cisco UCS Director 6.0.1.2 Cisco UCS Director 6.0.1.3 Cisco UCS Director 6.5.0.0 Cisco UCS Director 6.5.0.1 Cisco UCS Director 6.5.0.2 Cisco UCS Director 6.5.0.3 Cisco UCS Director 6.5.0.4 Cisco UCS Director 6.6.0.0 Cisco UCS Director 6.6.1.0 Cisco UCS Director 6.6.2.0 Cisco UCS Director 6.7.0.0 Cisco UCS Director 6.7.1.0 Cisco UCS Director 6.7.2.0 Cisco UCS Director 6.7.3.0 Cisco UCS Director Express FOR BIG Data 2.0.0.0 Cisco UCS Director Express FOR BIG Data 2.1.0.0 Cisco UCS Director Express FOR BIG Data 2.1.0.2 Cisco UCS Director Express FOR BIG Data 3.0.0.0 Cisco UCS Director Express FOR BIG Data 3.0.1.3 Cisco UCS Director Express FOR BIG Data 3.5.0.0 Cisco UCS Director Express FOR BIG Data 3.5.0.3 Cisco UCS Director Express FOR BIG Data 3.6.0.0 Cisco UCS Director Express FOR BIG Data 3.6.1.0 Cisco UCS Director Express FOR BIG Data 3.7.0.0 Cisco UCS Director Express FOR BIG Data 3.7.2.0 Cisco UCS Director Express FOR BIG Data 3.7.3.0	30

Common Weakness Enumeration (CWE)

CWE-269 - Improper Privilege Management

Common Attack Pattern Enumeration and Classification (CAPEC)

Restful Privilege Elevation
Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Metasploit

description	This module exploits an authentication bypass and directory traversals in Cisco UCS Director < 6.7.4.0 to leak the administrator's REST API key and execute a Cloupia script containing an arbitrary root command. Note that the primary functionality of this module is to leverage the Cloupia script interpreter to execute code. This functionality is part of the application's intended operation and considered a "foreverday." The authentication bypass and directory traversals only get us there. If you already have an API key, you may set it in the API_KEY option. The LEAK_FILE option may be set if you wish to leak the API key from a different absolute path, but normally this isn't advisable. Tested on Cisco's VMware distribution of 6.7.3.0.
id	MSF:EXPLOIT/LINUX/HTTP/CISCO_UCS_CLOUPIA_SCRIPT_RCE
last seen	2020-06-12
modified	2020-05-05
published	2020-04-27
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3250 https://srcincite.io/blog/2020/04/17/strike-three-symlinking-your-way-to-unauthenticated-access-against-cisco-ucs-director.html https://srcincite.io/pocs/src-2020-0014.py.txt
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/cisco_ucs_cloupia_script_rce.rb
title	Cisco UCS Director Cloupia Script RCE

Nessus

NASL family	CISCO
NASL id	CISCO-SA-UCSD-MULT-VULNS-UNFPDW4E.NASL
description	According to its self-reported version, the remote host is running a version of Cisco UCS Director that is affected by multiple vulnerabilities in the REST API which allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device, including the following: - An unauthenticated, remote attacker can bypass authentication and execute arbitrary actions with administrative privileges on an affected device due to insufficient access control validation. An attacker can exploit this vulnerability by sending a crafted request to the REST API, allowing the attacker to interact with the REST API with administrative privileges. (CVE-2020-3243) - An unauthenticated, remote attacker can execute arbitrary code with root privileges on the underlying operating system due to improper input validation. An attacker can exploit this by crafting a malicious file and sending it to the REST API. (CVE-2020-3240) - An unauthenticated, remote attacker can bypass authentication and execute API calls on an affected device due to insufficient access control validation. An attacker can exploit this by sending a request to the REST API endpoint in order to cause a potential Denial of Service (DoS) condition on the affected device. (CVE-2020-3250) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-10
modified	2020-04-21
plugin id	135766
published	2020-04-21
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135766
title	Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(135766); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/08"); script_cve_id( "CVE-2020-3239", "CVE-2020-3240", "CVE-2020-3243", "CVE-2020-3247", "CVE-2020-3248", "CVE-2020-3249", "CVE-2020-3250", "CVE-2020-3251", "CVE-2020-3252" ); script_xref(name:"CISCO-BUG-ID", value:"CSCvs53493"); script_xref(name:"CISCO-BUG-ID", value:"CSCvs53496"); script_xref(name:"CISCO-BUG-ID", value:"CSCvs53500"); script_xref(name:"CISCO-BUG-ID", value:"CSCvs53502"); script_xref(name:"CISCO-BUG-ID", value:"CSCvs56399"); script_xref(name:"CISCO-BUG-ID", value:"CSCvs56400"); script_xref(name:"CISCO-BUG-ID", value:"CSCvs56401"); script_xref(name:"CISCO-BUG-ID", value:"CSCvs69022"); script_xref(name:"CISCO-BUG-ID", value:"CSCvs69171"); script_xref(name:"CISCO-BUG-ID", value:"CSCvt39489"); script_xref(name:"CISCO-BUG-ID", value:"CSCvt39526"); script_xref(name:"CISCO-BUG-ID", value:"CSCvt39535"); script_xref(name:"CISCO-BUG-ID", value:"CSCvt39555"); script_xref(name:"CISCO-BUG-ID", value:"CSCvt39561"); script_xref(name:"CISCO-BUG-ID", value:"CSCvt39565"); script_xref(name:"CISCO-BUG-ID", value:"CSCvt39575"); script_xref(name:"CISCO-BUG-ID", value:"CSCvt39580"); script_name(english:"Cisco UCS Director and Cisco UCS Director Express for Big Data Multiple Vuulnerabilities (cisco-sa-ucsd-mult-vulns-UNfpdW4E)"); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the remote host is running a version of Cisco UCS Director that is affected by multiple vulnerabilities in the REST API which allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device, including the following: - An unauthenticated, remote attacker can bypass authentication and execute arbitrary actions with administrative privileges on an affected device due to insufficient access control validation. An attacker can exploit this vulnerability by sending a crafted request to the REST API, allowing the attacker to interact with the REST API with administrative privileges. (CVE-2020-3243) - An unauthenticated, remote attacker can execute arbitrary code with root privileges on the underlying operating system due to improper input validation. An attacker can exploit this by crafting a malicious file and sending it to the REST API. (CVE-2020-3240) - An unauthenticated, remote attacker can bypass authentication and execute API calls on an affected device due to insufficient access control validation. An attacker can exploit this by sending a request to the REST API endpoint in order to cause a potential Denial of Service (DoS) condition on the affected device. (CVE-2020-3250) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53493"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53496"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53500"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs53502"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs56399"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs56400"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs56401"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs69022"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvs69171"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39489"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39526"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39535"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39555"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39561"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39565"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39575"); script_set_attribute(attribute:"see_also", value:"https://tools.cisco.com/bugsearch/bug/CSCvt39580"); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsd-mult-vulns-UNfpdW4E script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bbbadbc7"); script_set_attribute(attribute:"solution", value: "Apply the patch or upgrade to the version recommended in Cisco advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-3243"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Cisco UCS Director Cloupia Script RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/21"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:ucs_director"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_ucs_director_detect.nbin"); script_require_keys("Host/Cisco/UCSDirector/version"); exit(0); } include('vcf.inc'); app_info = vcf::get_app_info(app:'Cisco UCS Director', kb_ver:'Host/Cisco/UCSDirector/version'); fix = '6.7.4.0'; constraints = [ { 'equal' : '6.0.0.0', 'fixed_display': fix}, { 'equal' : '6.0.0.1', 'fixed_display': fix}, { 'equal' : '6.0.1.0', 'fixed_display': fix}, { 'equal' : '6.0.1.1', 'fixed_display': fix}, { 'equal' : '6.0.1.2', 'fixed_display': fix}, { 'equal' : '6.0.1.3', 'fixed_display': fix}, { 'equal' : '6.5.0.0', 'fixed_display': fix}, { 'equal' : '6.5.0.1', 'fixed_display': fix}, { 'equal' : '6.5.0.2', 'fixed_display': fix}, { 'equal' : '6.5.0.3', 'fixed_display': fix}, { 'equal' : '6.5.0.4', 'fixed_display': fix}, { 'equal' : '6.6.0.0', 'fixed_display': fix}, { 'equal' : '6.6.1.0', 'fixed_display': fix}, { 'equal' : '6.6.2.0', 'fixed_display': fix}, { 'equal' : '6.7.0.0', 'fixed_display': fix}, { 'equal' : '6.7.1.0', 'fixed_display': fix}, { 'equal' : '6.7.2.0', 'fixed_display': fix}, { 'equal' : '6.7.3.0', 'fixed_display': fix} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

Packetstorm

data source	https://packetstormsecurity.com/files/download/157955/cisco_ucs_cloupia_script_rce.rb.txt
id	PACKETSTORM:157955
last seen	2020-06-06
published	2020-06-05
reporter	mr_me
source	https://packetstormsecurity.com/files/157955/Cisco-UCS-Director-Cloupia-Script-Remote-Code-Execution.html
title	Cisco UCS Director Cloupia Script Remote Code Execution

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Metasploit

Nessus

Packetstorm

References