Multiple Vulnerabilities in Cisco Unified Computing System

2013-04-24T16:00:00
ID CISCO-SA-20130424-UCSMULTI
Type cisco
Reporter Cisco
Modified 2013-06-06T20:24:59

Description

Cisco UCS Manager contains a buffer overflow vulnerability in the Intelligent Platform Management Interface (IPMI) implementation that is hosted on the Cisco UCS Fabric Interconnect. An unauthenticated, remote attacker who can submit a properly malformed request to the IPMI service via UDP port 623 could trigger a buffer overflow. This could allow the attacker to execute arbitrary code with elevated privileges.

This vulnerability does not require a TCP three-way handshake to exploit because the service runs over UDP.

Cisco UCS Manager contains a denial of service vulnerability in the management API. An unauthenticated, remote attacker who can submit a properly malformed request to the XML API management service of the Cisco UCS Manager could cause the service to stop responding. As a result, administrators could not make configuration changes or perform management actions on the Fabric Interconnect and computing resources managed by the device. A restart of the Fabric Interconnect is required to restore functionality.

Cisco UCS Manager contains an LDAP authentication bypass vulnerability. This vulnerability could allow an unauthenticated, remote attacker who can access the Cisco UCS Manager Web Console to authenticate as a specific user without providing valid authentication credentials. To exploit the vulnerability the attacker would need to submit a malformed request to a Cisco UCS Manager login page designed to leverage this vulnerability.

Only Cisco UCS systems that have been configured for direct LDAP integration are affected and certain LDAP options must be enabled on the LDAP server the Cisco UCS Manager is authenticating against. The vulnerability does not affect other authentication methods such as local, RADIUS, authentication, authorization, and accounting (AAA), or TACACS+.

Cisco UCS Manager contains an information disclosure vulnerability. An unauthenticated, remote attacker could access technical support or local backup files that were created by a device administrator. The attacker would need to access the web interface of the Cisco UCS Manager to exploit this vulnerability.

The files that the attacker could access contain sensitive information that could lead to the complete compromise of an affected Cisco UCS platform. The attacker must know the naming convention used by the administrator as well as the date that the files were created. These files are not automatically created on a device, but occur when an administrator creates a tech support bundle file or performs an on-device configuration backup.

Cisco UCS platforms contain an IP keyboard, video, mouse (KVM) authentication bypass vulnerability. An unauthenticated, remote attacker who can send a malicious KVM authentication request to the Cisco IMC of a managed computing resource could bypass authentication and access to the IP KVM console of the physical or virtual device. This vulnerability could also allow an unauthenticated, remote attacker to join an existing, active IP KVM session if the active owner confirms the request or fails to respond to the request within 60 seconds.

Managed and standalone Cisco Unified Computing System (UCS) deployments contain one or more of the vulnerabilities:

Cisco Unified Computing System LDAP User Authentication Bypass Vulnerability
Cisco Unified Computing System IPMI Buffer Overflow Vulnerability
Cisco Unified Computing Management API Denial of Service Vulnerability
Cisco Unified Computing System Information Disclosure Vulnerability
Cisco Unified Computing System KVM Authentication Bypass Vulnerability

Cisco has released software updates that address these vulnerabilities. These vulnerabilities affect only Cisco UCS. Additional vulnerabilities that affect the NX-OS base operating system of UCS are described in Multiple Vulnerabilities in Cisco NX-OS-Based Products.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-ucsmulti["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-ucsmulti"]